On May 2, 2008, at 8:55 AM, Une Bue wrote:

> i have a cgi reading a post cgi['search']
>
> the value is the name of file which might exists under "/path/to"
>
> because i'm a newbie with cgi, i want to print only if the file  
> exist or
> not :
>
> file="/Users/yt/man/#{cgi['search']}.html"
> print "FileTest.exist?('#{file}') = "   # here i get the right file  ame
> print FileTest.exist?(file)   # here i get Internal server error  
> why ???
>
> this is strange to me because if i print :
>
> print FileTest.exist?("/Users/yt/man/eruby.html") #without variable
>
> i get true, without internal server error...
>
> even if i define :
> def file_exist(file)
>  Dir.glob("/Users/yt/man/*.html").each do | _file |
>    return true if _file===file
>  end
>  return false
> end
>
> and print :
>
> print file_exist(file) # NO Internal Server Error
>
> any light ?
>
> in the mean time i had a look upon the server error log, giving :
> [Wed Apr 30 19:03:19 2008] [error] mod_ruby: error in ruby
> [Wed Apr 30 19:03:19 2008] [error] mod_ruby:
> /Users/yt/Sites/ruby/man-receive.rbx:54:in `exist?': Insecure  
> operation
> - exist? (SecurityError)


You're running your CGI under mod_ruby, which runs under $SAFE = 1:

   http://wiki.modruby.net/en/?FAQ#SecurityError+is+raised.

This is done to protect you from using unsafe input from untrusted  
sources in ways which might be dangerous, such as the one you  
demonstrate above. Using an input parameter that a remote user can  
modify in arbitrary ways in an operation that accesses the filesystem  s usually a bad idea. For more see the WWW Security FAQ:

   http://www.w3.org/Security/Faq/wwwsf4.html#CGI-Q16

The examples are in Perl, but most of the same principles apply to  
Ruby too.

Hope this helps.
--
Michael Granger <ged / FaerieMUD.org>
Rubymage, Architect, Believer
The FaerieMUD Consortium <http://www.FaerieMUD.org/>