$SAFE and creating New objects (File) again

_RayZ_Andrew_V_Rumm · 11 March 2003 15:45

So… I ask again ab it.

Just maked cgi-script which uploads some image file data into new, created by script one…
there is an errors due creating new file object.

…
newImageFilename = sql.query(“select value from settings where name=‘mdl_lastimage’”).fetch_hash[‘value’].to_s.succ
…
ImagesDir = DocumentRoot + “/images/someimagedir/”

i_type, i_width, i_height, i_extension = []

// declearing image…
image = Image::Info.new Imagefile

i_type, i_width, i_height, i_extension = image.type, image.width, image.height, image.extension

newImageFile = File.new(ImagesDir + newImageFilename + i_extension, “w”)

whut do i do?

ts1 · 11 March 2003 16:07

newImageFile = File.new(ImagesDir + newImageFilename + i_extension, "w")

One of the variables `ImagesDir', `newImageFilename', `i_extension' is
tainted this is why ruby give an error, for example

pigeon% cat b.rb
#!/usr/bin/ruby -T1
newImageFilename = "aa".taint
File.new(newImageFilename)
pigeon%

pigeon% b.rb
./b.rb:3:in `initialize': Insecure operation - initialize (SecurityError)
from ./b.rb:3:in `new'
from ./b.rb:3
pigeon%

You must carefully untaint these variables.

Guy Decoux

_RayZ_Andrew_V_Rumm · 12 March 2003 03:38

Hello ts,

Tuesday, March 11, 2003, 7:07:24 PM, you wrote:

You must carefully untaint these variables.
Guy Decoux

yoopiee!!!
It works ! Thanx!

Topic		Replies	Views
$SAFE and creating New objects (File) ruby-talk	15	129	11 March 2003
Taint resurrected unexpectedly (1.8.1) ruby-talk	2	103	5 March 2004
1.8.4 untaint behavior ruby-talk	3	108	18 January 2006
Mod_ruby insecury op ruby-talk	14	106	13 February 2003
Insecure operation ruby-talk	1	92	27 August 2008

$SAFE and creating New objects (File) again

Related topics