SecurityError requiring gems and other files with $SAFE=1 in Ruby 1.9.1

I’m using my own compiled version of Ruby 1.9.1p0 on Debian etch. With
$SAFE=1, I get the following error trying to require gems (in this
example Rake, but I get the same error with other gems):

$SAFE=1
=> 1

require ‘rake’
SecurityError: Insecure operation - require
from (irb):2:in require' from (irb):2 from /usr/local/ruby/1.9/bin/irb:12:in

The Rake gem is installed in the usual place:

$:.find {|s| s =~ /rake/}
=> “/usr/local/ruby/1.9.1-p0/lib/ruby/gems/1.9.1/gems/rake-0.8.4/bin”

I get the same error trying to load an arbitrary file:

$SAFE=1
=> 1

require ‘testing’
SecurityError: Insecure operation - require
from (irb):2:in require' from (irb):2 from /usr/local/ruby/1.9/bin/irb:12:in

I’ve just tried with the latest Ruby snapshot version and this has the
same issues, albeit with a (slightly) more helpful error message:

$SAFE=1
=> 1

require ‘rake’
SecurityError: cannot load from insecure path -
/usr/local/ruby/snapshot/lib/ruby/gems/1.9.1/gems/rake-0.8.4/lib/rake.rb
from (irb):2:in require' from (irb):2 from /usr/local/ruby/snapshot/bin/irb:12:in

Could anyone tell me if this is the expected behaviour of Ruby 1.9? I
couldn’t find any information about safe mode that would suggest these
SecurityErrors should be raised?

Thanks,

Phil

Philip R. wrote:

I get the following error trying to require gems (in this
example Rake, but I get the same error with other gems):

$SAFE=1
=> 1

require ‘rake’
SecurityError: Insecure operation - require
from (irb):2:in require' from (irb):2 from /usr/local/ruby/1.9/bin/irb:12:in

I’ve now found that if I bypass RubyGems and require rake manually using
its full path, I don’t get the SecurityError.

$SAFE=1
=> 1

require
‘/usr/local/ruby/snapshot/lib/ruby/gems/1.9.1/gems/rake-0.8.4/lib/rake’
=> true

I get the same error trying to load an arbitrary file:

$SAFE=1
=> 1

require ‘testing’
SecurityError: Insecure operation - require
from (irb):2:in require' from (irb):2 from /usr/local/ruby/1.9/bin/irb:12:in

The same is true requiring arbitrary files - if I use the full path
rather than relying on the load paths, I don’t get the security error:

$SAFE=1
=> 1

require ‘/home/testuser/testing.rb’
=> true

Should Ruby 1.9 behave the same when requiring files using a full path
than when relying on the load paths?

Regards,

Phil

On Apr 15, 2009, at 12:05, Philip R. wrote:

   from /usr/local/ruby/1.9/bin/irb:12:in `<main>'

require ‘testing’
require ‘rake’
SecurityError: cannot load from insecure path - /usr/local/ruby/
snapshot/lib/ruby/gems/1.9.1/gems/rake-0.8.4/lib/rake.rb
from (irb):2:in require' from (irb):2 from /usr/local/ruby/snapshot/bin/irb:12:in

Could anyone tell me if this is the expected behaviour of Ruby 1.9?
I couldn’t find any information about safe mode that would suggest
these SecurityErrors should be raised?

This is likely the issue:

$ ruby19 -rpp -e ‘$SAFE = 1; pp $LOAD_PATH.map { |path| [path,
path.tainted?] }’

Please file a bug.

Eric H. wrote:

This is likely the issue:

$ ruby19 -rpp -e ‘$SAFE = 1; pp $LOAD_PATH.map { |path| [path,
path.tainted?] }’

Please file a bug.

I am seeing that the gem lib paths are tainted, but the current
directory is not. I am seeing the SecurityError requiring files from
gems and from the current directory though.

I’ve just tried running

$LOAD_PATH.each {|p| p.untaint}

to untaint each entry in the load path. The load path entries all become
untainted, but SecurityErrors are still raised when running require.

Regards,

Phil

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs