mod_ruby, require, and $SAFE

[yermej]

When running under mod_ruby with the default $SAFE == 1, a file
containing only this:

require 'active_record'

will give a 500 response with the error:

mod_ruby: error in ruby
mod_ruby: /usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:73:in
`read': Insecure operation - read (SecurityError)
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:73:in
`load_specification'
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:45:in
`from_installed_gems'
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:44:in
`from_installed_gems'
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:63:in
`from_installed_gems'
mod_ruby: from /usr/lib64/ruby/site_ruby/1.8/rubygems.rb:79:in
`source_index'
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/custom_require.rb:105:in
`init_gemspecs'
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/custom_require.rb:50:in
`initialize'
mod_ruby: from
/usr/lib64/ruby/site_ruby/1.8/rubygems/custom_require.rb:24:in
`require'
mod_ruby: from /home/user/public_html/lvs/cgi/safe_test.rbx:1
mod_ruby: from /usr/lib64/ruby/1.8/apache/ruby-run.rb:53:in `handler'

I think this is happening because whatever is loaded from active_record
is tainted and then can't be used to do the requires that active_record
needs to do. That could be way off though.

I'm aware of the RubySafeLevel apache directive, but is there a
reasonable way to keep $SAFE == 1 and still be able to require
active_record?

Thanks,
Jeremy

 

[Eric Hodel]

When running under mod_ruby with the default $SAFE == 1, a file
containing only this:

require 'active_record'

will give a 500 response with the error:

mod_ruby: error in ruby
mod_ruby: /usr/lib64/ruby/site_ruby/1.8/rubygems/source_index.rb:73:in
`read': Insecure operation - read (SecurityError)

I think this is happening because whatever is loaded from
active_record
is tainted and then can't be used to do the requires that
active_record
needs to do. That could be way off though.

I'm aware of the RubySafeLevel apache directive, but is there a
reasonable way to keep $SAFE == 1 and still be able to require
active_record?

What version of RubyGems are you using?

 

[yermej]

What version of RubyGems are you using?

$ gem --version
shows 0.8.11

Jeremy

 

[yermej]

$ gem --version
shows 0.8.11

I just update RubyGems and now everything in my original script is
working fine. If you don't mind, could you give me a bit of detail
about what went wrong and what was changed in later versions of Gems?
To satisfy my curiosity more than anything.

Thanks for the suggestion.

Jeremy

 

[yermej]

$ gem --version
shows 0.8.11

I just updated RubyGems and now everything in my original script is
working fine. If you don't mind, could you give me a bit of detail
about what went wrong and what was changed in later versions of Gems?
To satisfy my curiosity more than anything.

Thanks for the suggestion.

Jeremy

 

[Eric Hodel]

I just updated RubyGems and now everything in my original script is
working fine. If you don't mind, could you give me a bit of detail
about what went wrong and what was changed in later versions of Gems?
To satisfy my curiosity more than anything.

I added $SAFE = 1 support to RubyGems in 0.9.0. Before that RubyGems
didn't untaint objects and was incapable of working.