Ruby 1.6.7, tainted, Net::FTP


(Hannes Wyss) #1

Hi List

I am running a CGI-Script that should write a file to a remote FTP-Server.

$SAFE - level is set to 1
Ruby’s version is 1.6.7 (2002-03-01) [i686-linux]

Here’s (in short) what I am trying to do

#!/usr/bin/env ruby

$SAFE = 1
require “net/ftp”

ftp = Net::FTP.new(“62.12.133.20”, “test”, “test”)
ftp.puttextfile(“test/data/0103.txt”, “somefile.txt”)

Here’s what I get

ruby ./test.rb
/usr/local/lib/ruby/1.6/net/ftp.rb:175:in open': Insecure operation - open (SecurityError) from /usr/local/lib/ruby/1.6/net/ftp.rb:175:inmakeport’
from /usr/local/lib/ruby/1.6/net/ftp.rb:209:in transfercmd' from /usr/local/lib/ruby/1.6/net/ftp.rb:328:instorlines’
from /usr/local/lib/ruby/1.6/net/ftp.rb:327:in mon_synchronize' from /usr/local/lib/ruby/1.6/net/ftp.rb:327:instorlines’
from /usr/local/lib/ruby/1.6/net/ftp.rb:413:in `puttextfile’
from ./test.rb:7

I’ve tracked my Problem down to TCPsocket.open(host, port).
Both arguments (host, port) are untainted when open is invoked.
However the return value sock has sock.addr[3].tainted? == true

Any suggestions what I could do?

t.i.a.

Hannes