Hi!
I’m seeing something seemingly incorrect in a CGI script
wherein an object is untainted, then a new object is
created via string interpolation using the untainted object,
and the new object becomes tainted.
I’ve whittled the code down to a pretty simple script…
I wasn’t able to reproduce it without actually using the
CGI module though… Here’s what I have:
···
$ cat taint.rb
$SAFE = 1
require 'cgi'
alias log puts
cgi = CGI.new("html4Tr")
# cgi.out {
view = cgi['view']
log("1 view=#{view}")
log("2 view tainted? #{view.tainted?}")
view.untaint # if view =~ /\A\w*\z/
log("3 view tainted? #{view.tainted?}")
filename = "demo/#{view}" #### ****** filename can become tainted!
log("4 filename tainted? #{filename.tainted?}")
filename.untaint unless view.tainted?
log("5 filename tainted? #{filename.tainted?}")
# }
The output is:
$ ruby -v
ruby 1.8.1 (2003-12-25) [i686-linux]
$ ruby taint.rb
(offline mode: enter name=value pairs on standard input)
view=spang
1 view=spang
2 view tainted? false
3 view tainted? false
4 filename tainted? true
5 filename tainted? false
[I don’t know if I’m doing something stupid… In the actual real CGI script, (as opposed to the “offline mode” whittled down one) I’m used to output line #2 being “true” as well. I’m not sure why line #2 is false here… so I’m worried I’m overlooking something silly…]
In any case, it’s line #4 that is causing me trouble. In
both this test script and in the real CGI script, my log
shows I’ve successfully untainted the object (referenced
by the ‘view’ variable) prior to using it in the string
interpolation:
filename = “demo/#{view}”
…and yet ‘filename’ is coming out tainted. That’s not
correct behavior is it? Or am I missing something?
Thanks!
Regards,
Bill