On May 2, 2008, at 8:55 AM, Une B=E9vue wrote:

> i have a cgi reading a post cgi['search']
>
> the value is the name of file which might exists under "/path/to"
>
> because i'm a newbie with cgi, i want to print only if the file =20
> exist or
> not :
>
> file=3D"/Users/yt/man/#{cgi['search']}.html"
> print "FileTest.exist?('#{file}') =3D "   # here i get the right file =20=

> name
> print FileTest.exist?(file)   # here i get Internal server error =20
> why ???
>
> this is strange to me because if i print :
>
> print FileTest.exist?("/Users/yt/man/eruby.html") #without variable
>
> i get true, without internal server error...
>
> even if i define :
> def file_exist(file)
>  Dir.glob("/Users/yt/man/*.html").each do | _file |
>    return true if _file=3D=3D=3Dfile
>  end
>  return false
> end
>
> and print :
>
> print file_exist(file) # NO Internal Server Error
>
> any light ?
>
> in the mean time i had a look upon the server error log, giving :
> [Wed Apr 30 19:03:19 2008] [error] mod_ruby: error in ruby
> [Wed Apr 30 19:03:19 2008] [error] mod_ruby:
> /Users/yt/Sites/ruby/man-receive.rbx:54:in `exist?': Insecure =20
> operation
> - exist? (SecurityError)


You're running your CGI under mod_ruby, which runs under $SAFE =3D 1:

   http://wiki.modruby.net/en/?FAQ#SecurityError+is+raised.

This is done to protect you from using unsafe input from untrusted =20
sources in ways which might be dangerous, such as the one you =20
demonstrate above. Using an input parameter that a remote user can =20
modify in arbitrary ways in an operation that accesses the filesystem =20=

is usually a bad idea. For more see the WWW Security FAQ:

   http://www.w3.org/Security/Faq/wwwsf4.html#CGI-Q16

The examples are in Perl, but most of the same principles apply to =20
Ruby too.

Hope this helps.
--
Michael Granger <ged / FaerieMUD.org>
Rubymage, Architect, Believer
The FaerieMUD Consortium <http://www.FaerieMUD.org/>