Mod_ruby, require, and $SAFE

When running under mod_ruby with the default $SAFE == 1, a file
containing only this:

require ‘active_record’

will give a 500 response with the error:

mod_ruby: error in ruby
mod_ruby: /usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:73:in
read': Insecure operation - read (SecurityError) mod_ruby: from /usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:73:inload_specification’
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:45:in
from_installed_gems' mod_ruby: from /usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:44:infrom_installed_gems’
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:63:in
from_installed_gems' mod_ruby: from /usr/lib64/ruby/site_ruby/1.8/rubygems.rb:79:insource_index’
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/custom_require.rb:105:in
init_gemspecs' mod_ruby: from /usr/lib64/ruby/site_ruby/1.8/rubygems/custom_require.rb:50:ininitialize’
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/custom_require.rb:24:in
require' mod_ruby: from /home/user/public_html/lvs/cgi/safe_test.rbx:1 mod_ruby: from /usr/lib64/ruby/1.8/apache/ruby-run.rb:53:inhandler’

I think this is happening because whatever is loaded from active_record
is tainted and then can’t be used to do the requires that active_record
needs to do. That could be way off though.

I’m aware of the RubySafeLevel apache directive, but is there a
reasonable way to keep $SAFE == 1 and still be able to require
active_record?

Thanks,
Jeremy

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs