On Thu, 21 Jun 2001 06:20:33 +0900 "HarryO" <harryo / zipworld.com.au> wrote: > Also, what I really wanted to do was to use eval to generate a variable > for each of the values stored in a cookie. However, because of the > SAFE level at which the code is running, eval is forbidden (I'm not sure > whether this is mod_ruby, eruby or cgi.rb). > > Is it possible to override this? I'm guessing not, since that would > bypass the security, but I thought I'd ask, just in case. > mod_ruby sets the SAFE level to 1 so you cannot use tainted strings in eval. Cookie values are tainted by default, but you can untaint them if you are sure it doesn't contain unexpected expressions. Since you want to generate variables, you can untaint them if they contain only certain characters: value.untaint if value =~ /^\w+$/ Maybe someone knows what is the real variable-name regexp. Mike. midulo.