When running under mod_ruby with the default $SAFE == 1, a file
containing only this:
require 'active_record'
will give a 500 response with the error:
mod_ruby: error in ruby
mod_ruby: /usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:73:in
`read': Insecure operation - read (SecurityError)
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:73:in
`load_specification'
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:45:in
`from_installed_gems'
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:44:in
`from_installed_gems'
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:63:in
`from_installed_gems'
mod_ruby: from /usr/lib64/ruby/site_ruby/1.8/rubygems.rb:79:in
`source_index'
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/custom_require.rb:105:in
`init_gemspecs'
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/custom_require.rb:50:in
`initialize'
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/custom_require.rb:24:in
`require'
mod_ruby: from /home/user/public_html/lvs/cgi/safe_test.rbx:1
mod_ruby: from /usr/lib64/ruby/1.8/apache/ruby-run.rb:53:in `handler'
I think this is happening because whatever is loaded from active_record
is tainted and then can't be used to do the requires that active_record
needs to do. That could be way off though.
I'm aware of the RubySafeLevel apache directive, but is there a
reasonable way to keep $SAFE == 1 and still be able to require
active_record?
I think this is happening because whatever is loaded from active_record
is tainted and then can't be used to do the requires that active_record
needs to do. That could be way off though.
I'm aware of the RubySafeLevel apache directive, but is there a
reasonable way to keep $SAFE == 1 and still be able to require
active_record?
Eric Hodel wrote:
> What version of RubyGems are you using?
$ gem --version
shows 0.8.11
I just update RubyGems and now everything in my original script is
working fine. If you don't mind, could you give me a bit of detail
about what went wrong and what was changed in later versions of Gems?
To satisfy my curiosity more than anything.
Eric Hodel wrote:
> What version of RubyGems are you using?
$ gem --version
shows 0.8.11
I just updated RubyGems and now everything in my original script is
working fine. If you don't mind, could you give me a bit of detail
about what went wrong and what was changed in later versions of Gems?
To satisfy my curiosity more than anything.
I added $SAFE = 1 support to RubyGems in 0.9.0. Before that RubyGems didn't untaint objects and was incapable of working.
···
On Jan 22, 2007, at 12:25, yermej@gmail.com wrote:
yermej@gmail.com wrote:
Eric Hodel wrote:
What version of RubyGems are you using?
$ gem --version
shows 0.8.11
I just updated RubyGems and now everything in my original script is
working fine. If you don't mind, could you give me a bit of detail
about what went wrong and what was changed in later versions of Gems?
To satisfy my curiosity more than anything.