Insecure operation

unknown · August 26, 2008, 7:05pm

Hello!

I’m trying to make a CGI script which uses modules from Rails, and
I’ve got a “Security Error”. I have read posts about taint/untaint,
but nothing helps. Could you advice something?

Details:
FreeBSD 6.3-STABLE
Rails 2.1.0
Ruby 1.8.6
Apache 2.2 + mod_ruby (for CGI) + latest Phusion Passenger + latest
Ruby Enterprise (for Rails)

Script:
require ‘cgi’
require ‘…/config/environment’
params = CGI::parse( ENV[‘QUERY_STRING’] ).each{ |key, el| {key =>
el.first} } #I don’t know how to get GET vars in another way
seller = ContrSeller.find( :first, :conditions => { :id =>
params[‘seller_id’], :password => params[‘pass’] } ) #ContrSeller - is
an existing model

Error:
mod_ruby: error in ruby
mod_ruby: /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/lib/
active_support/dependencies.rb:169:in `file?’: Insecure operation -
file? (SecurityError)

I can put a full error output here, but it’s not needed.
I have tried to untaint() params variable and its values, but no
success.

unknown · August 27, 2008, 7:20am

On 26 Á×Ç, 21:04, [email protected] wrote:

I can put a full error output here, but it’s not needed.

Here is a full error report:
mod_ruby: error in ruby
mod_ruby: /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/lib/
active_support/dependencies.rb:169:in file?': Insecure operation - file? (SecurityError) mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/ lib/active_support/dependencies.rb:169:insearch_for_file’
mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
lib/active_support/dependencies.rb:167:in each' mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/ lib/active_support/dependencies.rb:167:insearch_for_file’
mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
lib/active_support/dependencies.rb:258:in load_missing_constant' mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/ lib/active_support/dependencies.rb:483:inconst_missing’
mod_ruby: from ./pcapi.rb:6:in new_session' mod_ruby: from /home/gs/data/www/pc.gorodskidok.com/api/api.rbx:43 mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/ lib/active_support/dependencies.rb:502:inload’
mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
lib/active_support/dependencies.rb:502:in load' mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/ lib/active_support/dependencies.rb:354:innew_constants_in’
mod_ruby: from /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.0/
lib/active_support/dependencies.rb:502:in load' mod_ruby: from /usr/local/lib/ruby/site_ruby/1.8/apache/ruby-run.rb: 53:inhandler’

I have tried
$SAFE = 0
But it returns a error that security level cannot be downgraded