>>>>> "J" == Jesper Olsen <Jesper / JesperOlsen.Net> writes:

J> But it is not possible with the $SAFE=1 level of the mod_ruby
J> installation provided by my web host provider (system returns false).

 Well, if system return false this is not because $SAFE = 1 but probably
 because the process can't write in out.txt

svg% pwd
/usr
svg% 

svg% ruby -e 'p system("ls>out.txt")'
sh: line 1: out.txt: No such file or directory
false
svg% 


 with $SAFE = 1, you can have a security error if the string is tainted

svg% cd
svg% 

svg% ruby -e '$SAFE = 1; p system("ls>out.txt")'
true
svg%
 
svg% ruby -e '$SAFE = 1; p system("ls>out.txt".taint)'
-e:1:in `system': Insecure operation - system (SecurityError)
        from -e:1
svg% 



Guy Decoux