SecurityError in Ruby 1.8.4

jgoizueta · May 2, 2006

The next code raises a "Insecure operations" SecurityError under Ruby
1.8.4 (but not in 1.8.2):

require 'yaml'
require 'rubygems'
require_gem 'rake' # require any gem
$SAFE=1
YAML.load "---\n2005-01-05"

I've tested it with i386-mswin32 and i686-linux Ruby, and version
0.8.11 of ruby gems.
Anybody have an idea of what's happening? may it be a bug in Ruby
1.8.4?

--Javier Goizueta

ts · May 2, 2006

Add this line

j> require 'yaml'
j> require 'rubygems'
j> require_gem 'rake' # require any gem
j> $SAFE=1

p $LOAD_PATH.select {|x| x.tainted? }

j> YAML.load "---\n2005-01-05"

j> Anybody have an idea of what's happening? may it be a bug in Ruby
j> 1.8.4?

ruby will not try to load a file if one component of $LOAD_PATH is
tainted.

jgoi · May 2, 2006

Oh, I see... the path strings introduced by ruby gems are tainted... so
I guess that we must make sure that all files to be required are loaded
before the $SAFE level is set if gems are used.
That seems like a real problem to me for modules that dynamically load
other modules... Anyway, this information allowed me to find a
workaround for the program where this problem has emerged, thank you
Guy!
--Javier Goizueta

rubygems win32 error with ruby 1.8.4 (final)	4	Dec 27, 2005
Ruby 1.8.4 binaries for Win32 are available here	4	Mar 16, 2006
1.8.4 untaint behavior	3	Jan 17, 2006
HTTPS with ruby 1.8.4 on Windows?	2	Mar 15, 2006
Upgrade Problems on 1.8.4	2	Aug 2, 2006
Problems with upgrade to 1.8.4	1	Oct 13, 2006
SecurityError requiring gems and other files with $SAFE=1 in Ruby1.9.1	3	Apr 15, 2009
Problem with https connection in Ruby 1.8.4	4	Feb 7, 2006

SecurityError in Ruby 1.8.4

jgoizueta

ts

jgoi

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads