Mod_ruby, require, and $SAFE

When running under mod_ruby with the default $SAFE == 1, a file
containing only this:

require ‘active_record’

will give a 500 response with the error:

mod_ruby: error in ruby
mod_ruby: /usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:73:in
read': Insecure operation - read (SecurityError) mod_ruby: from /usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:73:inload_specification’
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:45:in
from_installed_gems' mod_ruby: from /usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:44:infrom_installed_gems’
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:63:in
from_installed_gems' mod_ruby: from /usr/lib64/ruby/site_ruby/1.8/rubygems.rb:79:insource_index’
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/custom_require.rb:105:in
init_gemspecs' mod_ruby: from /usr/lib64/ruby/site_ruby/1.8/rubygems/custom_require.rb:50:ininitialize’
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/custom_require.rb:24:in
require' mod_ruby: from /home/user/public_html/lvs/cgi/safe_test.rbx:1 mod_ruby: from /usr/lib64/ruby/1.8/apache/ruby-run.rb:53:inhandler’

I think this is happening because whatever is loaded from active_record
is tainted and then can’t be used to do the requires that active_record
needs to do. That could be way off though.

I’m aware of the RubySafeLevel apache directive, but is there a
reasonable way to keep $SAFE == 1 and still be able to require
active_record?

Thanks,
Jeremy

On Jan 22, 2007, at 09:20, [email protected] wrote:

I think this is happening because whatever is loaded from
active_record
is tainted and then can’t be used to do the requires that
active_record
needs to do. That could be way off though.

I’m aware of the RubySafeLevel apache directive, but is there a
reasonable way to keep $SAFE == 1 and still be able to require
active_record?

What version of RubyGems are you using?


Eric H. - [email protected] - http://blog.segment7.net

I LIT YOUR GEM ON FIRE!

Eric H. wrote:

What version of RubyGems are you using?

$ gem --version
shows 0.8.11

Jeremy

[email protected] wrote:

Eric H. wrote:

What version of RubyGems are you using?

$ gem --version
shows 0.8.11

I just update RubyGems and now everything in my original script is
working fine. If you don’t mind, could you give me a bit of detail
about what went wrong and what was changed in later versions of Gems?
To satisfy my curiosity more than anything.

Thanks for the suggestion.

Jeremy

On Jan 22, 2007, at 12:25, [email protected] wrote:

To satisfy my curiosity more than anything.
I added $SAFE = 1 support to RubyGems in 0.9.0. Before that RubyGems
didn’t untaint objects and was incapable of working.


Eric H. - [email protected] - http://blog.segment7.net

I LIT YOUR GEM ON FIRE!

[email protected] wrote:

Eric H. wrote:

What version of RubyGems are you using?

$ gem --version
shows 0.8.11

I just updated RubyGems and now everything in my original script is
working fine. If you don’t mind, could you give me a bit of detail
about what went wrong and what was changed in later versions of Gems?
To satisfy my curiosity more than anything.

Thanks for the suggestion.

Jeremy

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs