I'm using my own compiled version of Ruby 1.9.1p0 on Debian etch. With $SAFE=1, I get the following error trying to require gems (in this example Rake, but I get the same error with other gems):
>> $SAFE=1
=> 1
>> require 'rake'
SecurityError: Insecure operation - require
from (irb):2:in `require'
from (irb):2
from /usr/local/ruby/1.9/bin/irb:12:in `<main>'
The Rake gem is installed in the usual place:
>> $:.find {|s| s =~ /rake/}
=> "/usr/local/ruby/1.9.1-p0/lib/ruby/gems/1.9.1/gems/rake-0.8.4/bin"
I get the same error trying to load an arbitrary file:
>> $SAFE=1
=> 1
>> require 'testing'
SecurityError: Insecure operation - require
from (irb):2:in `require'
from (irb):2
from /usr/local/ruby/1.9/bin/irb:12:in `<main>'
I've just tried with the latest Ruby snapshot version and this has the same issues, albeit with a (slightly) more helpful error message:
>> $SAFE=1
=> 1
>> require 'rake'
SecurityError: cannot load from insecure path - /usr/local/ruby/snapshot/lib/ruby/gems/1.9.1/gems/rake-0.8.4/lib/rake.rb
from (irb):2:in `require'
from (irb):2
from /usr/local/ruby/snapshot/bin/irb:12:in `<main>'
Could anyone tell me if this is the expected behaviour of Ruby 1.9? I couldn't find any information about safe mode that would suggest these SecurityErrors should be raised?
Thanks,
Phil
Philip Ross wrote:
I get the following error trying to require gems (in this example Rake, but I get the same error with other gems):
>> $SAFE=1
=> 1
>> require 'rake'
SecurityError: Insecure operation - require
from (irb):2:in `require'
from (irb):2
from /usr/local/ruby/1.9/bin/irb:12:in `<main>'
I've now found that if I bypass RubyGems and require rake manually using its full path, I don't get the SecurityError.
>> $SAFE=1
=> 1
>> require '/usr/local/ruby/snapshot/lib/ruby/gems/1.9.1/gems/rake-0.8.4/lib/rake'
=> true
I get the same error trying to load an arbitrary file:
>> $SAFE=1
=> 1
>> require 'testing'
SecurityError: Insecure operation - require
from (irb):2:in `require'
from (irb):2
from /usr/local/ruby/1.9/bin/irb:12:in `<main>'
The same is true requiring arbitrary files - if I use the full path rather than relying on the load paths, I don't get the security error:
>> $SAFE=1
=> 1
>> require '/home/testuser/testing.rb'
=> true
Should Ruby 1.9 behave the same when requiring files using a full path than when relying on the load paths?
Regards,
Phil
This is likely the issue:
$ ruby19 -rpp -e '$SAFE = 1; pp $LOAD_PATH.map { |path| [path, path.tainted?] }'
Please file a bug.
···
On Apr 15, 2009, at 12:05, Philip Ross wrote:
I'm using my own compiled version of Ruby 1.9.1p0 on Debian etch. With $SAFE=1, I get the following error trying to require gems (in this example Rake, but I get the same error with other gems):
>> $SAFE=1
=> 1
>> require 'rake'
SecurityError: Insecure operation - require
from (irb):2:in `require'
from (irb):2
from /usr/local/ruby/1.9/bin/irb:12:in `<main>'
The Rake gem is installed in the usual place:
>> $:.find {|s| s =~ /rake/}
=> "/usr/local/ruby/1.9.1-p0/lib/ruby/gems/1.9.1/gems/rake-0.8.4/bin"
I get the same error trying to load an arbitrary file:
>> $SAFE=1
=> 1
>> require 'testing'
SecurityError: Insecure operation - require
from (irb):2:in `require'
from (irb):2
from /usr/local/ruby/1.9/bin/irb:12:in `<main>'
I've just tried with the latest Ruby snapshot version and this has the same issues, albeit with a (slightly) more helpful error message:
>> $SAFE=1
=> 1
>> require 'rake'
SecurityError: cannot load from insecure path - /usr/local/ruby/snapshot/lib/ruby/gems/1.9.1/gems/rake-0.8.4/lib/rake.rb
from (irb):2:in `require'
from (irb):2
from /usr/local/ruby/snapshot/bin/irb:12:in `<main>'
Could anyone tell me if this is the expected behaviour of Ruby 1.9? I couldn't find any information about safe mode that would suggest these SecurityErrors should be raised?
Eric Hodel wrote:
This is likely the issue:
$ ruby19 -rpp -e '$SAFE = 1; pp $LOAD_PATH.map { |path| [path,
path.tainted?] }'
Please file a bug.
I am seeing that the gem lib paths are tainted, but the current
directory is not. I am seeing the SecurityError requiring files from
gems and from the current directory though.
I've just tried running
$LOAD_PATH.each {|p| p.untaint}
to untaint each entry in the load path. The load path entries all become
untainted, but SecurityErrors are still raised when running require.
Regards,
Phil
···
--
Posted via http://www.ruby-forum.com/\.