Something straange with cgi

i have a cgi reading a post cgi[‘search’]

the value is the name of file which might exists under “/path/to”

because i’m a newbie with cgi, i want to print only if the file exist or
not :

file="/Users/yt/man/#{cgi[‘search’]}.html"
print "FileTest.exist?(’#{file}’) = " # here i get the right file name
print FileTest.exist?(file) # here i get Internal server error why ???

this is strange to me because if i print :

print FileTest.exist?("/Users/yt/man/eruby.html") #without variable

i get true, without internal server error…

even if i define :
def file_exist(file)
Dir.glob("/Users/yt/man/*.html").each do | _file |
return true if _file===file
end
return false
end

and print :

print file_exist(file) # NO Internal Server Error

any light ?

in the mean time i had a look upon the server error log, giving :
[Wed Apr 30 19:03:19 2008] [error] mod_ruby: error in ruby
[Wed Apr 30 19:03:19 2008] [error] mod_ruby:
/Users/yt/Sites/ruby/man-receive.rbx:54:in `exist?’: Insecure operation

  • exist? (SecurityError)

the cgi isn’t accessible externaly…

Une Bévue wrote:

print FileTest.exist?("/Users/yt/man/eruby.html") #without variable

Try with

puts file.tainted?
puts “/Users/yt/man/eruby.html”.tainted?

/Users/yt/Sites/ruby/man-receive.rbx:54:in `exist?’: Insecure operation

  • exist? (SecurityError)

man-receive.rbx run with ‘$SAFE = 1’ and it’s a security error to use
FileTest#exist? with a tainted object at this level

vgs% ruby -e ‘name ="./ruby".taint; p FileTest.exist?(name)’
true
vgs%

vgs% ruby -e ‘$SAFE = 1; name ="./ruby".taint; p FileTest.exist?(name)’
-e:1:in `exist?’: Insecure operation - exist? (SecurityError)
from -e:1
vgs%

Guy Decoux

On May 2, 2008, at 8:55 AM, Une Bévue wrote:

name
def file_exist(file)
any light ?

in the mean time i had a look upon the server error log, giving :
[Wed Apr 30 19:03:19 2008] [error] mod_ruby: error in ruby
[Wed Apr 30 19:03:19 2008] [error] mod_ruby:
/Users/yt/Sites/ruby/man-receive.rbx:54:in `exist?’: Insecure
operation

  • exist? (SecurityError)

You’re running your CGI under mod_ruby, which runs under $SAFE = 1:

http://wiki.modruby.net/en/?FAQ#SecurityError+is+raised.

This is done to protect you from using unsafe input from untrusted
sources in ways which might be dangerous, such as the one you
demonstrate above. Using an input parameter that a remote user can
modify in arbitrary ways in an operation that accesses the filesystem
is usually a bad idea. For more see the WWW Security FAQ:

http://www.w3.org/Security/Faq/wwwsf4.html#CGI-Q16

The examples are in Perl, but most of the same principles apply to
Ruby too.

Hope this helps.

Michael G. [email protected] wrote:

The examples are in Perl, but most of the same principles apply to
Ruby too.

Fine, thanks for the refs.

In the mean type i’ve added a regexp checker on input string which
verify that the string is only made up with a-zA-Z0-9 and ‘-’ only.
I believe this is enough…
After that i untaint the search variable.

ts [email protected] wrote:

vgs% ruby -e ‘name ="./ruby".taint; p FileTest.exist?(name)’
true
vgs%

vgs% ruby -e ‘$SAFE = 1; name ="./ruby".taint; p FileTest.exist?(name)’
-e:1:in `exist?’: Insecure operation - exist? (SecurityError)
from -e:1
vgs%

OK, thanks !

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs