Eruby and/or mod_ruby on apache not working with rubygem

Hi,

I’m a web developer and wanted to try ruby. I installed ruby 1.8 on my
debian server with eruby and mod_ruby for apache2. Apache config files
are configured correctly to accept .rhtml files and parse them. If I
type sth like <% print “Test” %> then there’s no problem, it gives me
“Test” as output. But I wanted to try “Twitterland” from rubygems. I
installed the gem and when I’m trying to use the following:

require ‘rubygems’
require ‘twitterland’

print Twitterland::FollowCost.show(‘johnygoerend’)

it works fine when I use it with “ruby index.rhtml”, but when I call it
in my browser (of course with the <% %> tags) then I get these errors
in my error.log:

[Sun Sep 26 04:21:25 2010] [error] mod_ruby: error in ruby
[Sun Sep 26 04:21:25 2010] [error] mod_ruby:
/usr/local/lib/site_ruby/1.8/rubygems.rb:472:in `[]’: Insecure operation

• [] (SecurityError)
  [Sun Sep 26 04:21:25 2010] [error] mod_ruby: from
  /usr/local/lib/site_ruby/1.8/rubygems.rb:472:in find_files' [Sun Sep 26 04:21:25 2010] [error] mod_ruby: from /usr/local/lib/site_ruby/1.8/rubygems.rb:471:inmap’
  [Sun Sep 26 04:21:25 2010] [error] mod_ruby: from
  /usr/local/lib/site_ruby/1.8/rubygems.rb:471:in find_files' [Sun Sep 26 04:21:25 2010] [error] mod_ruby: from /usr/local/lib/site_ruby/1.8/rubygems.rb:983:inload_plugins’
  [Sun Sep 26 04:21:25 2010] [error] mod_ruby: from
  /usr/local/lib/site_ruby/1.8/rubygems.rb:1139
  [Sun Sep 26 04:21:25 2010] [error] mod_ruby: from
  /usr/lib/ruby/1.8/auto-reload.rb:77:in load' [Sun Sep 26 04:21:25 2010] [error] mod_ruby: from /usr/lib/ruby/1.8/auto-reload.rb:77:inrequire’
  [Sun Sep 26 04:21:25 2010] [error] mod_ruby: from
  /var/www/virtual/johny.lu/ruby/htdocs/index.rhtml:2
  [Sun Sep 26 04:21:25 2010] [error] mod_ruby: from (eval):0
  [Sun Sep 26 04:21:25 2010] [error] mod_ruby: from
  /usr/lib/ruby/1.8/apache/eruby-run.rb:116:in eval_string_wrap' [Sun Sep 26 04:21:25 2010] [error] mod_ruby: from /usr/lib/ruby/1.8/apache/eruby-run.rb:116:inrun’
  [Sun Sep 26 04:21:25 2010] [error] mod_ruby: from
  /usr/lib/ruby/1.8/apache/eruby-run.rb:72:in `handler’

I searched in google but there’s not much to find. Does anyone has an
idea what exactly goes wrong here?

[Sun Sep 26 04:21:25 2010] [error] mod_ruby: error in ruby
[Sun Sep 26 04:21:25 2010] [error] mod_ruby:
/usr/local/lib/site_ruby/1.8/rubygems.rb:472:in `[]’: Insecure operation

• [] (SecurityError)

My guess would be that mod_ruby is running with $SAFE > 0, but rubygems
and/or twitterland doesn’t work in those conditions.

Try showing SAFE=<%= $SAFE %> to see if that theory is right.

Also try running your standalone ruby script with ruby -T1 (or add
$SAFE=1 to the top) to see if it barfs in the same way.

Aside: I’m afraid you’ll find not many people use mod_ruby these days.
As far as I can see, most people write Rack-based web apps. To run them
with Apache you’d either proxy to a standalone ruby webserver
(mongrel/thin/unicorn/rainbows!), or inside Apache using Phusion
Passenger, a.k.a. mod_rails.

That’s not to say that you can’t make it work, it’s just that you might
not find many other people using mod_ruby to help you if you have
problems.

Equally, if a particular app or library doesn’t work with $SAFE=1,
perhaps it should be modified so that it does.

Regards,

Brian.

Oh, forgot to include this link:
http://ruby-doc.org/docs/ProgrammingRuby/html/taint.html

Thank you very much for your answer. Safe really is set to 1 so you’re
right. But running the script with ruby -T1 gives me the same as running
it without -T1, so no error.

Thanks for the notice on mod_ruby. I guess I’ll have a look at the
alternatives to run my ruby web apps.

Johny Goerend wrote:

Thank you very much for your answer. Safe really is set to 1 so you’re
right. But running the script with ruby -T1 gives me the same as running
it without -T1, so no error.

Odd. Could you try:

puts “foo”.tainted?

in both scenarios.

Also, you could try running mod_ruby with RubySafeLevel 0

http://www.modruby.net/en/index.rbx?mode=search&word=shugo#label-17