I’ve been trying to build a CGI LDAP tool for password changes using
Net/LDAP (0.0.4), but I’m bumping against what looks like a taint
issue. I’ve never dealt with taint before.

In irb, my library works perfectly. It finds the dn, attempts a bind
with dn/old_word, and then modifies dn with new_word. Here are the
method calls required to make it work:

load ‘ldapengine.rb’
engine = LDAPEngine.new(“properties_file”)
success, msg = engine.change_password(“uid”, “old_word”, “new_word”)

forward to success.html if success

In eRuby, the same series of calls with the same parameters put
“Insecure operation - initialize” into ldap.rb’s $! variable at the
moment of initialization:

1017 def initialize server
1018 begin
1019 @conn = TCPsocket.new( server[:host], server[:port] )
1020 rescue
1021 #raise LdapError.new( “no connection to server” )
1022 raise LdapError.new( “no connection to server: #{$!}” )

Can someone help me understand what I need to untaint, and how, to make
this work? I’ve already tried the obvious – calling .untaint on the
engine object and on all the string parameters in my rhtml file – to
no effect.

And if by doing so I create undue risk, I’d be glad to know it. (I do
limit the “uid” to alphanumeric characters, since it is used as a
search key.)

Thanks.

“j” == justin crawford [email protected] writes:

j> In eRuby, the same series of calls with the same parameters put
j> “Insecure operation - initialize” into ldap.rb’s $! variable at the
j> moment of initialization:

Well, if I remember well eruby run with $SAFE = 1

j> 1017 def initialize server
j> 1018 begin
j> 1019 @conn = TCPsocket.new( server[:host], server[:port] )
^^^^^^^^^^^^^

This is this variable which must be, carefully, untainted

moulon% ruby -rsocket -e ‘TCPsocket.new(“moulon”.taint, 21)’
moulon%

moulon% ruby -rsocket -e ‘$SAFE = 1; TCPsocket.new(“moulon”.taint, 21)’
-e:1:in `initialize’: Insecure operation - initialize (SecurityError)
from -e:1
moulon%

Guy Decoux