Eval and mod_ruby/eRuby

(Gavin Kistner) #1

Using mod_ruby, ruby 1.8.1, eRuby and Apache2:

<%
require ‘cgi’

puts “$SAFE is #{$SAFE}”,’

cgi = CGI.new
code = cgi[‘code’]
puts “code is ‘#{code}’”,’

puts “code.tainted? is #{code.tainted?}”,’

code.untaint
puts “code.tainted? is #{code.tainted?}”,’

#puts eval(code)
%>

PRODUCES

$SAFE is 1
code is 'puts “Hello z”'
code.tainted? is false
code.tainted? is false

But if I uncomment the last line the error in my apache log is:

[Wed Feb 18 11:06:24 2004] [error] mod_ruby: error in ruby
/Users/gavinkistner/Sites/rubyeval.rhtml:10:in eval': Insecure operation - eval (SecurityError) from /Users/gavinkistner/Sites/rubyeval.rhtml:10 from (eval):115 from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:114:ineval_string_wrap’
from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:114:in run' from /usr/local/lib/ruby/1.8/apache/eruby-run.rb:72:inhandler’

I know it’s dangerous. This is on a private, protected machine for my
own personal use. How can I allow eval() to run under eRuby/mod_ruby?

···


(-, /\ / / //

(David Heinemeier Hansson) #2

I know it’s dangerous. This is on a private, protected machine for
my own personal use. How can I allow eval() to run under
eRuby/mod_ruby?

You need access to the httpd.conf, so it won’t fly on a shared server,
but:

# other settings RubySafeLevel 0

This removes all the tainted security. So beware…

···


David Heinemeier Hansson,
http://www.basecamphq.com/ – Web-based Project Management
http://www.loudthinking.com/ – Broadcasting Brain

(Gavin Kistner) #3

David Heinemeier Hansson wrote:

# other settings RubySafeLevel 0

This removes all the tainted security. So beware…

While I appreciate that this will work, I don’t understand why it’s
necessary.

According to:
http://phrogz.net/ProgrammingRuby/frameset.asp?content=taint.asp%23safelevels

$SAFE>=1 : […] Can’t eval tainted strings.

As noted, the string involved isn’t tainted. (And even if it had been,
the call to #untaint would have untainted it, since it’s not until
$SAFE>=3 that things can’t be untainted.)

So…why is mod_ruby borking? Does it somehow impose different rules on
what $SAFE means?

···


(-, /\ / / //