How can I avoid "Insecure operation - stat (SecurityError) "

I’m trying to get some ruby code, running under mod_ruby, to retrieve the
mtime of a file. But calls to stat raise “Insecure operation - stat
(SecurityError)”.

$SAFE is at 1; trying to lower it raises an error.
The site runs ruby 1.6.7 (2002-07-11) [i386-freebsd4]

How can I retrieve the last mod time of a file without raising security
errors?
untainintg the string variable holding the name of file doesn’t help either.

Thanks,

James

Try putting this in your httpd.conf and then restarting Apache:

RubySafeLevel 0

There might be another way to get your code to work without decreasing
the safe level (which is probably more secure). You might try asking
on the modruby mailing list (http://www.modruby.net/#label:10).

···

On Mon, Aug 19, 2002 at 03:34:53AM +0900, JamesBritt wrote:

I’m trying to get some ruby code, running under mod_ruby, to retrieve the
mtime of a file. But calls to stat raise “Insecure operation - stat
(SecurityError)”.

$SAFE is at 1; trying to lower it raises an error.
The site runs ruby 1.6.7 (2002-07-11) [i386-freebsd4]

How can I retrieve the last mod time of a file without raising security
errors?
untainintg the string variable holding the name of file doesn’t help either.

Hi,

$SAFE is at 1; trying to lower it raises an error.
The site runs ruby 1.6.7 (2002-07-11) [i386-freebsd4]

How can I retrieve the last mod time of a file without raising security
errors?
untainintg the string variable holding the name of file doesn’t help either.

$ ruby-1.6 -e ‘s = “/etc/fstab”.taint; $SAFE=1; p File.stat(s)’
-e:1:in `stat’: Insecure operation - stat (SecurityError)
from -e:1
$ ruby-1.6 -e ‘s = “/etc/fstab”.taint; $SAFE=1; s.untaint; p Fiile.stat(s)’
#<File::Stat dev=5634, ino=32063, mode=33188, nlink=1, uid=0,
gid=0, rdev=0, size=2285, blksize=4096, blocks=6,
atime=Sun Aug 18 21:17:23 JST 2002,
mtime=Sat Feb 09 22:57:27 JST 2002,
ctime=Tue Feb 26 14:54:52 JST 2002>

···

At Mon, 19 Aug 2002 03:34:53 +0900, JamesBritt wrote:


Nobu Nakada

How can I retrieve the last mod time of a file without raising security
errors?
untainintg the string variable holding the name of file doesn’t
help either.

Try putting this in your httpd.conf and then restarting Apache:

RubySafeLevel 0

Thanks, but I’m just a system user, with no access to the apache config.
Plus, it seems like a bad idea to reduce security for all processes when
what I really want to is to explicitly drop my guard for a specific piece of
code.

There might be another way to get your code to work without decreasing
the safe level (which is probably more secure). You might try asking
on the modruby mailing list (http://www.modruby.net/#label:10).

I’ll see about that. Thanks

James

···

$SAFE is at 1; trying to lower it raises an error.
The site runs ruby 1.6.7 (2002-07-11) [i386-freebsd4]

How can I retrieve the last mod time of a file without raising security
errors?
untainintg the string variable holding the name of file doesn’t
help either.

$ ruby-1.6 -e ‘s = “/etc/fstab”.taint; $SAFE=1; p File.stat(s)’
-e:1:in `stat’: Insecure operation - stat (SecurityError)
from -e:1
$ ruby-1.6 -e ‘s = “/etc/fstab”.taint; $SAFE=1; s.untaint; p
Fiile.stat(s)’
#<File::Stat dev=5634, ino=32063, mode=33188, nlink=1, uid=0,
gid=0, rdev=0, size=2285, blksize=4096, blocks=6,
atime=Sun Aug 18 21:17:23 JST 2002,
mtime=Sat Feb 09 22:57:27 JST 2002,
ctime=Tue Feb 26 14:54:52 JST 2002>

Thanks.

I must confess, though, that I was wrong: untaint does solve the problem.
I had numerous places triggering the error, and wasn’t watching the line
number change.

James

···

At Mon, 19 Aug 2002 03:34:53 +0900, > JamesBritt wrote:


Nobu Nakada