Opening Net::HTTP from mod_ruby script

[Dmitry Borodaenko]

Did anyone try that? While implementing Pingback client[1], I've stuck
with a SecurityError exception, even though I've untainted the uri that
I'm feeding to Net::HTTP:

content =~ URI::REGEXP::ABS_URI or raise UserError,
"text/uri-list should contain at least one absolute URI"
uri, scheme = $&, $1
throw :fail unless scheme =~ /^http/
response = Net::HTTP.get_response(URI.parse(uri.untaint))

Does Net::HTTP pick something tainted from the environment that I'm not
aware of?

[1] http://www.hixie.ch/specs/pingback/pingback

 

[Minero Aoki]

Hi,

In mail "Opening Net::HTTP from mod_ruby script"

Did anyone try that? While implementing Pingback client[1], I've stuck
with a SecurityError exception, even though I've untainted the uri that
I'm feeding to Net::HTTP:

content =~ URI::REGEXP::ABS_URI or raise UserError,
"text/uri-list should contain at least one absolute URI"
uri, scheme = $&, $1
throw :fail unless scheme =~ /^http/
response = Net::HTTP.get_response(URI.parse(uri.untaint))

I could not reproduce the error.
Could you show me exact error message?

Regards,
Minero Aoki

 

[Dmitry Borodaenko]

I could not reproduce the error.
Could you show me exact error message?

/usr/lib/ruby/1.8/net/protocol.rb:83:in `initialize': Insecure operation - initialize (SecurityError)
from /usr/lib/ruby/1.8/net/protocol.rb:83:in `new'
from /usr/lib/ruby/1.8/net/protocol.rb:83:in `connect'
from /usr/lib/ruby/1.8/net/protocol.rb:82:in `timeout'
from /usr/lib/ruby/1.8/timeout.rb:55:in `timeout'
from /usr/lib/ruby/1.8/net/protocol.rb:82:in `connect'
from /usr/lib/ruby/1.8/net/protocol.rb:64:in `initialize'
from /usr/lib/ruby/1.8/net/http.rb:429:in `open'
from /usr/lib/ruby/1.8/net/http.rb:429:in `do_start'
... 6 levels...
from /var/www/samizdat/message.rb:17:in `out'
from /var/www/samizdat/message.rb:17
from /usr/lib/ruby/1.8/apache/ruby-run.rb:70:in `load'
from /usr/lib/ruby/1.8/apache/ruby-run.rb:70:in `handler'

Apache/1.3.28 (Debian GNU/Linux) mod_ruby/1.0.7 Ruby/1.8.0

Hope that is enough, I don't know how to get a full call stack, without
skipping those "6 levels".

 

[Minero Aoki]

Hi,

In mail "Re: Opening Net::HTTP from mod_ruby script"

/usr/lib/ruby/1.8/net/protocol.rb:83:in `initialize': Insecure operation - initialize (SecurityError)

It is an error raised on $SAFE=3 or higher.
Please check RubySafeLevel parameter written in httpd.conf / .htaccess.


Regards,
Minero Aoki

 

[Dmitry Borodaenko]

It is an error raised on $SAFE=3 or higher.
Please check RubySafeLevel parameter written in httpd.conf / .htaccess.

This parameter is not set in Apache configs, `$stderr << $SAFE` prints 1.

 

[Dmitry Borodaenko]

This parameter is not set in Apache configs, `$stderr << $SAFE` prints 1.

I've locked this down to Regexp#=~ under CGI, not necessarily under
mod_ruby, and only when I use my own Session#params() method I mentioned
elsewhere on this list. Here is a test to repeat this:

require 'cgi'

def params(cgi, keys)
keys.collect do |key|
value = cgi[key]
(value =~ /[^\s]/)? value : nil # =~ does something evil?
end
end

cgi = CGI.new
cgi.out() do
test, = params cgi, ['test'] # <---
#test, = cgi['test']
test.untaint
test =~ /(.)/
result = $1.tainted?
result.to_s
end

If you replace the line marked with arrow with the commented line that
follows, result changes from true to false.

Can anyone explain this?