ts <decoux / moulon.inra.fr> wrote in message news:<200312281652.hBSGqbb23848 / moulon.inra.fr>... > >>>>> "J" == Jesper Olsen <Jesper / JesperOlsen.Net> writes: > > J> But it is not possible with the $SAFE=1 level of the mod_ruby > J> installation provided by my web host provider (system returns false). > > Well, if system return false this is not because $SAFE = 1 but probably > because the process can't write in out.txt > > svg% pwd > /usr > svg% > > svg% ruby -e 'p system("ls>out.txt")' > sh: line 1: out.txt: No such file or directory > false > svg% > > > with $SAFE = 1, you can have a security error if the string is tainted > > svg% cd > svg% > > svg% ruby -e '$SAFE = 1; p system("ls>out.txt")' > true > svg% > > svg% ruby -e '$SAFE = 1; p system("ls>out.txt".taint)' > -e:1:in `system': Insecure operation - system (SecurityError) > from -e:1 > svg% > > > > Guy Decoux Thanks Guy, It is not as bad as I thought - it was not a problem of $SAFE (or taint). Rather a of problem the cgi-process not having permission to create files in that particular dir - so in this case also a "pure" ruby script would have failed (- but at least it would have produced an exception). I should have checked that of course - but I assumed mod_ruby had a fundamental flaw which prevented system to run properly. :-) The tainting and $SAFE levels are unique to Ruby - I tend to stumble over them, rather than find them useful. Jesper