--000e0cd29c70de04570467e94555
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

In the context of making a Ruby cgi script that generates a PDF using the
Ruby library PDF::Writer, I ran into an odd problem where the script ran
fine from the command line but failed when run in the WWW server. The longer
story is in the forwarded message below. PDF::Writer uses this idiom to find
.tfm files that are stored in the same tree as the Ruby library:
METRICS_PATH   File.join(File.dirname(File.expand_path(__FILE__)),
'fonts') ]
File.expand_path taints its return, and this causes METRICS_PATH to be nil
and PDF::Writer to fail.

I am not a Ruby guru, but it seems to me very unintuitive that Ruby taints
this result when it doesn't seem to depend on the value of any environment
variables. The description of the operator implies that it should only use
environment variables if a ~ appears in the string.

Thanks for a great language,

Tom Epperly

---------- Forwarded message ----------
From: Tom Epperly <tepperly / gmail.com>
Date: Mon, Apr 6, 2009 at 12:15 PM
Subject: Suggestions/issues for Ruby PDF::Writer
To: austin / rubyforge.org


By the way, PDF::Writer is very cool. I am using it to make a program to
generate azimuthal maps for amateur radio. I am trying to create a WWW front
end for it, but I am have to set $SAFE to 0 apparently because of
line 13 in pdf/writer/fontmetrics.rb.
 METRICS_PATH   File.join(File.dirname(File.expand_path(__FILE__)),
'fonts') ]
The results of File.expand_path(__FILE__) is considered tainted. This
ultimately causes the METRICS_PATH to be [ nil ].

This simple program demonstrates the problem:
#!/usr/bin/env ruby
require 'pdf/writer'
$SAFE  
pdf  DF::Writer.new(:paper "LETTER")
pdf.text("Hello world")
pdf.save_as("foo.pdf")

% ruby foo.rb
/usr/lib/ruby/1.8/pdf/writer.rb:794:in `load_font': private method `sub'
called for nil:NilClass (NoMethodError)
       from /usr/lib/ruby/1.8/pdf/writer.rb:1005:in `select_font'
       from /usr/lib/ruby/1.8/pdf/writer.rb:1067:in `font_height'
       from /usr/lib/ruby/1.8/pdf/writer.rb:2401:in `text'
       from foo.rb:5

This second example demonstrates where the tainting occurs. I am not sure
why expand_path taints its result, but it apparently does.

#!/usr/bin/env ruby
file  _FILE__
print file + "\n"
print "Is tainted? " + file.tainted?.to_s + "\n"
path  ile.expand_path(file)
print path + "\n"
print "Is tainted? " + path.tainted?.to_s + "\n"
dirname  ile.dirname(path)
print dirname + "\n"
print "Is tainted? " + dirname.tainted?.to_s + "\n"
fdir  ile.join(dirname, 'fonts')
print  fdir + "\n"
print "Is tainted? " + fdir.tainted?.to_s + "\n"
print File.exists?(File.join(fdir,
                            "Times-Roman.afm")).to_s + "\n"

% ruby -T1 foo2.rb
foo2.rb
Is tainted? false
/tmp/foo2.rb
Is tainted? true
/tmp
Is tainted? true
/tmp/fonts
Is tainted? true
foo2.rb:15:in `exists?': Insecure operation - exists? (SecurityError)
       from foo2.rb:15


It would be nice if PDF::Writer could work with arbitrary values of $SAFE.

It would also be nice if there was a way that I could set up a circular
clipping path.

Tom

--000e0cd29c70de04570467e94555
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

In the context of making a Ruby cgi script that generates a PDF using the Ruby library PDF::Writer, I ran into an odd problem where the script ran fine from the command line but failed when run in the WWW server. The longer story is in the forwarded message below. PDF::Writer uses this idiom to findtfm files that are stored in the same tree as the Ruby library:<br>
METRICS_PATH = [ File.join(File.dirname(File.expand_path(__FILE__)), &#39;fonts&#39;) ]<br>File.expand_path taints its return, and this causes METRICS_PATH to be nil and PDF::Writer to fail.<br><br>I am not a Ruby guru, butt seems to me very unintuitive that Ruby taints this result when it doesn&#39;t seem to depend on the value of any environment variables. The description of the operator implies that it should only use environment variablesf a ~ appears in the string.<br>
<br>Thanks for a great language,<br><br>Tom Epperly<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Tom Epperly</b> <span dir="ltr">&lt;<a href="mailto:tepperly / gmail.com" target="_blank">tepperly / gmail.com</a>&gt;</span><br>
Date: Mon, Apr 6, 2009 at 12:15 PM<br>
Subject: Suggestions/issues for Ruby PDF::Writer<br>To: <a href="mailto:austin / rubyforge.org" target="_blank">austin / rubyforge.org</a><br><br><br>By the way, PDF::Writer is very cool. I am using it to make a program to generate azimuthal maps for amateur radio. I am trying to create a WWW front end for it, but I am have to set $SAFE to 0 apparently because of<br>


line 13 in pdf/writer/fontmetrics.rb.<br>
  ߩ󦣳 ݼThe results of File.expand_path(__FILE__) is considered tainted. This ultimately causes the METRICS_PATH to be [ nil ].<br>
<br>
This simple program demonstrates the problem:<br>
#!/usr/bin/env ruby<br>
require &#39;pdf/writer&#39;<br>
$SAFE = 1<br>
pdf = PDF::Writer.new(:paper =&gt; &quot;LETTER&quot;)<br>
pdf.text(&quot;Hello world&quot;)<br>
pdf.save_as(&quot;foo.pdf&quot;)<br>
<br>
% ruby foo.rb<br>
/usr/lib/ruby/1.8/pdf/writer.rb:794:in `load_font&#39;: private method `sub&#39; called for nil:NilClass (NoMethodError)<br>
  ⺱  ⺱  ⺲
  ⺵
<br>
This second example demonstrates where the tainting occurs. I am not sure why expand_path taints its result, but it apparently does.<br>
<br>
#!/usr/bin/env ruby<br>
file = __FILE__<br>
print file + &quot;\n&quot;<br>
print &quot;Is tainted? &quot; + file.tainted?.to_s + &quot;\n&quot;<br>
path = File.expand_path(file)<br>
print path + &quot;\n&quot;<br>
print &quot;Is tainted? &quot; + path.tainted?.to_s + &quot;\n&quot;<br>
dirname = File.dirname(path)<br>
print dirname + &quot;\n&quot;<br>
print &quot;Is tainted? &quot; + dirname.tainted?.to_s + &quot;\n&quot;<br>
fdir = File.join(dirname, &#39;fonts&#39;)<br>
print  
print &quot;Is tainted? &quot; + fdir.tainted?.to_s + &quot;\n&quot;<br>
print File.exists?(File.join(fdir,<br>
 &quot;Times-Roman.afm&quot;)).to_s + &quot;\n&quot;<br>
<br>
% ruby -T1 foo2.rb<br>
foo2.rb<br>
Is tainted? false<br>
/tmp/foo2.rb<br>
Is tainted? true<br>
/tmp<br>
Is tainted? true<br>
/tmp/fonts<br>
Is tainted? true<br>
foo2.rb:15:in `exists?&#39;: Insecure operation - exists? (SecurityError)<br>
  ﲮ⺱
<br>
<br>
It would be nice if PDF::Writer could work with arbitrary values of $SAFE.<br>
<br>
It would also be nice if there was a way that I could set up a circular clipping path.<br><font color="#888888">
<br>
Tom<br>
</font></div><br>

--000e0cd29c70de04570467e94555--