>>>>> "J" == Jim Menard <jimm / eris.io.com> writes:

J> Another puzzle: there are no complaints about the eval and require the
J> first time I load the page by directly typing the CGI parameters in the
J> URL. 

 I hope I'm wrong but I've also the impression that the data extract from
 the URL are not tainted.

 From cgi.rb (1.6.2)

    def initialize_query()
      if ("POST" == env_table['REQUEST_METHOD']) and
         (%r|\Amultipart/form-data.*boundary=\"?([^\";,]+)\"?|n ===
           env_table['CONTENT_TYPE'])
        boundary = $1.dup
        @params = read_multipart(boundary, Integer(env_table['CONTENT_LENGTH']))
      else
        @params = CGI::parse(
                    case env_table['REQUEST_METHOD']
                    when "GET", "HEAD"
                      if defined?(MOD_RUBY)
                        Apache::request.args or ""
                      else
                     env_table['QUERY_STRING'] or ""
                      end

 From mod_ruby-0.2.2

aestivum% grep \"args *.c
apachelib.c:    rb_define_method(rb_cApacheRequest, "args", request_args, 0);
aestivum% 

aestivum% less apachelib.c
[...]
   static VALUE request_args(VALUE self)
{
    request_data *data;
 
    Data_Get_Struct(self, request_data, data);
    if (data->request->args)
        return rb_str_new2(data->request->args);
    else
        return Qnil;
}
[...]
aestivum%

 if MOD_RUBY is defined, the string is not tainted



Guy Decoux