ts <decoux / moulon.inra.fr> wrote in message news:<200312281652.hBSGqbb23848 / moulon.inra.fr>...
> >>>>> "J" == Jesper Olsen <Jesper / JesperOlsen.Net> writes:
> 
> J> But it is not possible with the $SAFE=1 level of the mod_ruby
> J> installation provided by my web host provider (system returns false).
> 
>  Well, if system return false this is not because $SAFE = 1 but probably
>  because the process can't write in out.txt
> 
> svg% pwd
> /usr
> svg% 
> 
> svg% ruby -e 'p system("ls>out.txt")'
> sh: line 1: out.txt: No such file or directory
> false
> svg% 
> 
> 
>  with $SAFE = 1, you can have a security error if the string is tainted
> 
> svg% cd
> svg% 
> 
> svg% ruby -e '$SAFE = 1; p system("ls>out.txt")'
> true
> svg%
>  
> svg% ruby -e '$SAFE = 1; p system("ls>out.txt".taint)'
> -e:1:in `system': Insecure operation - system (SecurityError)
>         from -e:1
> svg% 
> 
> 
> 
> Guy Decoux

Thanks Guy,

It is not as bad as I thought - it was not a problem of $SAFE (or
taint).

Rather a of problem the cgi-process not having permission to create
files
in that particular dir - so in this case also a "pure" ruby script
would have
failed (- but at least it would have produced an exception).

I should have checked that of course - but I assumed mod_ruby had a
fundamental flaw which prevented system to run properly. :-) 

The tainting and $SAFE levels are unique to Ruby - I tend to stumble
over them, rather than find them useful.

Jesper