Ruby 1.6.7, tainted, Net::FTP

Hannes_Wyss1 · 5 June 2002 19:02

Hi List

I am running a CGI-Script that should write a file to a remote FTP-Server.

$SAFE - level is set to 1
Ruby’s version is 1.6.7 (2002-03-01) [i686-linux]

Here’s (in short) what I am trying to do

#!/usr/bin/env ruby

$SAFE = 1
require “net/ftp”

ftp = Net::FTP.new(“62.12.133.20”, “test”, “test”)
ftp.puttextfile(“test/data/0103.txt”, “somefile.txt”)

Here’s what I get

ruby ./test.rb
/usr/local/lib/ruby/1.6/net/ftp.rb:175:in open': Insecure operation - open (SecurityError) from /usr/local/lib/ruby/1.6/net/ftp.rb:175:in makeport’
from /usr/local/lib/ruby/1.6/net/ftp.rb:209:in transfercmd' from /usr/local/lib/ruby/1.6/net/ftp.rb:328:in storlines’
from /usr/local/lib/ruby/1.6/net/ftp.rb:327:in mon_synchronize' from /usr/local/lib/ruby/1.6/net/ftp.rb:327:in storlines’
from /usr/local/lib/ruby/1.6/net/ftp.rb:413:in `puttextfile’
from ./test.rb:7

I’ve tracked my Problem down to TCPsocket.open(host, port).
Both arguments (host, port) are untainted when open is invoked.
However the return value sock has sock.addr[3].tainted? == true

Any suggestions what I could do?

t.i.a.

Hannes

Topic		Replies	Views
Ftp/socket problem on OSX ruby-talk	3	131	26 March 2004
First Program ruby-talk	1	102	17 July 2002
Anybody tell me about net/ftp protocol? ruby-talk	2	107	19 October 2007
[ruby-list:48981] Ruby 1.8.7 patchlevel 371 (CVE-2012-4466) ruby-talk	0	140	12 October 2012
Another FTP modules problem ruby-talk	0	49	30 May 2004

Ruby 1.6.7, tainted, Net::FTP

Related Topics