Did anyone try that? While implementing Pingback client[1], I’ve stuck
with a SecurityError exception, even though I’ve untainted the uri that
I’m feeding to Net::HTTP:
content =~ URI::REGEXP::ABS_URI or raise UserError,
"text/uri-list should contain at least one absolute URI"
uri, scheme = $&, $1
throw :fail unless scheme =~ /^http/
response = Net::HTTP.get_response(URI.parse(uri.untaint))
Does Net::HTTP pick something tainted from the environment that I’m not
aware of?
[1] http://www.hixie.ch/specs/pingback/pingback
···
–
Dmitry Borodaenko
Hi,
In mail “Opening Net::HTTP from mod_ruby script”
···
Dmitry Borodaenko d.borodaenko@sam-solutions.net wrote:
Did anyone try that? While implementing Pingback client[1], I’ve stuck
with a SecurityError exception, even though I’ve untainted the uri that
I’m feeding to Net::HTTP:
content =~ URI::REGEXP::ABS_URI or raise UserError,
"text/uri-list should contain at least one absolute URI"
uri, scheme = $&, $1
throw :fail unless scheme =~ /^http/
response = Net::HTTP.get_response(URI.parse(uri.untaint))
I could not reproduce the error.
Could you show me exact error message?
Regards,
Minero Aoki
/usr/lib/ruby/1.8/net/protocol.rb:83:in initialize': Insecure operation - initialize (SecurityError) from /usr/lib/ruby/1.8/net/protocol.rb:83:innew’
from /usr/lib/ruby/1.8/net/protocol.rb:83:in connect' from /usr/lib/ruby/1.8/net/protocol.rb:82:intimeout’
from /usr/lib/ruby/1.8/timeout.rb:55:in timeout' from /usr/lib/ruby/1.8/net/protocol.rb:82:inconnect’
from /usr/lib/ruby/1.8/net/protocol.rb:64:in initialize' from /usr/lib/ruby/1.8/net/http.rb:429:inopen’
from /usr/lib/ruby/1.8/net/http.rb:429:in do_start' ... 6 levels... from /var/www/samizdat/message.rb:17:inout’
from /var/www/samizdat/message.rb:17
from /usr/lib/ruby/1.8/apache/ruby-run.rb:70:in load' from /usr/lib/ruby/1.8/apache/ruby-run.rb:70:inhandler’
Apache/1.3.28 (Debian GNU/Linux) mod_ruby/1.0.7 Ruby/1.8.0
Hope that is enough, I don’t know how to get a full call stack, without
skipping those “6 levels”.
···
On Tue, Nov 04, 2003 at 05:30:31PM +0900, Minero Aoki wrote:
content =~ URI::REGEXP::ABS_URI or raise UserError,
"text/uri-list should contain at least one absolute URI"
uri, scheme = $&, $1
throw :fail unless scheme =~ /^http/
response = Net::HTTP.get_response(URI.parse(uri.untaint))
I could not reproduce the error.
Could you show me exact error message?
–
Dmitry Borodaenko
Hi,
In mail “Re: Opening Net::HTTP from mod_ruby script”
···
Dmitry Borodaenko d.borodaenko@sam-solutions.net wrote:
response = Net::HTTP.get_response(URI.parse(uri.untaint))
/usr/lib/ruby/1.8/net/protocol.rb:83:in `initialize’: Insecure operation - initialize (SecurityError)
It is an error raised on $SAFE=3 or higher.
Please check RubySafeLevel parameter written in httpd.conf / .htaccess.
Regards,
Minero Aoki
This parameter is not set in Apache configs, $stderr << $SAFE prints 1.
···
On Thu, Nov 06, 2003 at 12:55:15AM +0900, Minero Aoki wrote:
response = Net::HTTP.get_response(URI.parse(uri.untaint))
/usr/lib/ruby/1.8/net/protocol.rb:83:in `initialize’: Insecure operation - initialize (SecurityError)
It is an error raised on $SAFE=3 or higher.
Please check RubySafeLevel parameter written in httpd.conf / .htaccess.
–
Dmitry Borodaenko
I’ve locked this down to Regexp#=~ under CGI, not necessarily under
mod_ruby, and only when I use my own Session#params() method I mentioned
elsewhere on this list. Here is a test to repeat this:
require ‘cgi’
def params(cgi, keys)
keys.collect do |key|
value = cgi[key]
(value =~ /[^\s]/)? value : nil # =~ does something evil?
end
end
cgi = CGI.new
cgi.out() do
test, = params cgi, [‘test’] # <—
#test, = cgi[‘test’]
test.untaint
test =~ /(.)/
result = $1.tainted?
result.to_s
end
If you replace the line marked with arrow with the commented line that
follows, result changes from true to false.
Can anyone explain this?
···
On Thu, Nov 06, 2003 at 02:25:06AM +0900, Dmitry Borodaenko wrote:
On Thu, Nov 06, 2003 at 12:55:15AM +0900, Minero Aoki wrote:
response = Net::HTTP.get_response(URI.parse(uri.untaint))
/usr/lib/ruby/1.8/net/protocol.rb:83:in initialize': Insecure operation - initialize (SecurityError) It is an error raised on $SAFE=3 or higher. Please check RubySafeLevel parameter written in httpd.conf / .htaccess. This parameter is not set in Apache configs,$stderr << $SAFE` prints 1.
–
Dmitry Borodaenko