Hi,

In message "[ruby-talk:03048] eruby security problem?"
    on 00/05/30, Andrew Hunt <Andy / Toolshed.Com> writes:

|Can anyone think of a danger in installing the eruby binary in
|/cgi-bin?  

I believe so.

|Since Ruby normally can read standard input for the program, this
|would seem to be a bad thing --- you could point a POST request to
|/cgi-bin/eruby directly and have full run of the show.  It looks like
|eruby_main.c will simply try to open a filename of "" if no script
|name is provided, but I just wanted to make sure that this was a safe thing
|to do...

If environment variable GATEWAY_INTERFACE is set (by HTTP server),
eruby runs in CGI mode, in which a script be loaded from the file
specified by PATH_INFO.

							matz.