$SAFE and creating New objects (File) 
Author Message
 $SAFE and creating New objects (File)

Sorry for noob question
I've just installed mod_ruby

Trying to create new file and there an Insecure operation error.

SomeFile = File.new("someFileName", "w")

What must i do then?



Sat, 06 Aug 2005 22:33:50 GMT  
 $SAFE and creating New objects (File)

Quote:
>>>>> "R" == \"RayZ\" Andrew V Rumm <RayZ> writes:

R> SomeFile = File.new("someFileName", "w")

 "someFileName" is probably tainted because it came from the outside. You
 must *carefully* verify that it's a valid filename and that you can use
 the filename *safely* before trying to untaint it.

Guy Decoux



Sat, 06 Aug 2005 22:43:38 GMT  
 $SAFE and creating New objects (File)
???? ?????, 18 ??????? 2003, 14:33, \ ???:
Quote:
> Trying to create new file and there an Insecure operation error.
> SomeFile = File.new("someFileName", "w")
> What must i do then?

Is the filename is from GPC(Get/Post/Cookie) origin?


Sat, 06 Aug 2005 22:45:16 GMT  
 $SAFE and creating New objects (File)
Hello ts,

t>  "someFileName" is probably tainted because it came from the outside. You
t>  must *carefully* verify that it's a valid filename and that you can use
t>  the filename *safely* before trying to untaint it.

"someFileName" is generated by me. All aperations are safe.
I am writing some my Own data into this file. How can i permit it?



Sat, 06 Aug 2005 22:47:50 GMT  
 $SAFE and creating New objects (File)

Quote:
>>>>> "R" == \"RayZ\" Andrew V Rumm <RayZ> writes:

R> "someFileName" is generated by me. All aperations are safe.
R> I am writing some my Own data into this file. How can i permit it?

 What is the value of $SAFE ?

 How "someFileName" is generated ? Can you post the script ?

Guy Decoux



Sat, 06 Aug 2005 22:52:23 GMT  
 $SAFE and creating New objects (File)

Quote:
>>>>> ts,

t>  What is the value of $SAFE ?
$SAFE -> 1
t>  How "someFileName" is generated ? Can you post the script ?
But.. it's too big :)

#!/bhome/part2/01/gloria/ruby/bin/ruby

require 'mysql'
require 'cgi'
require 'templates'
require '../site/global'
require '../site/image'

cgi = CGI.new

action = cgi['action'][0].read.to_s
ImagesDir = ""

case action
        when 'add'
        begin
                category_id = cgi['category'][0].read

                sql = makeSQLconn()
                        brand_id = sql.query("select brand_id from g_categories where id = #{category_id}").fetch_hash['brand_id'].to_i
                sql.close

                name =  cgi['name'][0].read
                description = cgi['description'][0].read

                if cgi.has_key? 'new'
                        new_val = cgi['new'][0].read
                        new = new_val == "on" ? 1 : 0
                else
                        new = 0
                end
                Imagefile = cgi['image_file'][0].read
                Thumbfile = cgi['thumbnail_file'][0].read

                ImagesDir = DocumentRoot + "/images/models/images/"
                ThumbDir = DocumentRoot + "/images/models/thumbnails/"

                ImagecounterFile = File.new(ImagesDir + "count.txt", "r+")
                ThumbcounterFile = File.new(ThumbDir + "count.txt", "r+")

                newImageFilename = ImagecounterFile.read.strip.to_s.succ
                newThumbFilename = ThumbcounterFile.read.strip.to_s.succ

                ImagecounterFile.close()
                ThumbcounterFile.close()

                ImagecounterFile = File.new(ImagesDir + "count.txt", "w")
                ThumbcounterFile = File.new(ThumbDir + "count.txt", "w")

                ImagecounterFile.write(newImageFilename)
                ThumbcounterFile.write(newThumbFilename)
                ImagecounterFile.close()
                ThumbcounterFile.close()

                i_type, i_width, i_height, i_extension = []
                t_type, t_width, t_height, t_extension = []

                image = Image::Info.new Imagefile
                thumb = Image::Info.new Thumbfile

                i_type, i_width, i_height, i_extension = image.type, image.width, image.height, image.extension
                t_type, t_width, t_height, t_extension = thumb.type, thumb.width, thumb.height, thumb.extension

                i_path = "/images/models/images/" + newImageFilename + i_extension
                t_path = "/images/models/thumbnails/" + newThumbFilename + t_extension

                newImageF



Sat, 06 Aug 2005 22:55:35 GMT  
 $SAFE and creating New objects (File)
Hi,

In message "Re: $SAFE and creating New objects (File)"

|"someFileName" is generated by me. All aperations are safe.
|I am writing some my Own data into this file. How can i permit it?

Show us the code and *exact* error messages.

                                                        matz.



Sat, 06 Aug 2005 22:57:56 GMT  
 $SAFE and creating New objects (File)
Well.. it's cutted.
Other code doesn't matter.

This is an error message:

/bhome/part2/01/gloria/vcgi/_admin/processmodel.rb:68:in `initialize': Insecure operation - initialize (SecurityError)
        from /bhome/part2/01/gloria/vcgi/_admin/processmodel.rb:68:in `new'
        from /bhome/part2/01/gloria/vcgi/_admin/processmodel.rb:68
        from /bhome/part2/01/gloria/ruby/lib/ruby/1.6/apache/ruby-run.rb:70:in `load'
        from /bhome/part2/01/gloria/ruby/lib/ruby/1.6/apache/ruby-run.rb:70:in `handler'
        from ruby:0

Error at
newImageFile = File.new(ImagesDir + newImageFilename + i_extension, "w")

______________________________________________________________________


______________________________________________________________________



Sat, 06 Aug 2005 23:04:11 GMT  
 $SAFE and creating New objects (File)

Quote:
>>>>> "R" == \"RayZ\" Andrew V Rumm <RayZ> writes:

R>           newImageFilename = ImagecounterFile.read.strip.to_s.succ
R>           newThumbFilename = ThumbcounterFile.read.strip.to_s.succ

 These 2 String are tainted, they are read from a file.

 Normally you need a lock, or your counter can have problems.

Guy Decoux



Sat, 06 Aug 2005 23:07:34 GMT  
 $SAFE and creating New objects (File)
category_id = cgi['category'][0].read

sql = makeSQLconn()
brand_id = sql.query("select brand_id from g_categories where id = #{category_id}").fetch_hash['brand_id'].to_i
sql.close

name =  cgi['name'][0].read
description = cgi['description'][0].read

if cgi.has_key? 'new'
        new_val = cgi['new'][0].read
        new = new_val == "on" ? 1 : 0
else
        new = 0
end
Imagefile = cgi['image_file'][0].read
Thumbfile = cgi['thumbnail_file'][0].read

ImagesDir = DocumentRoot + "/images/models/images/"
ThumbDir = DocumentRoot + "/images/models/thumbnails/"

ImagecounterFile = File.new(ImagesDir + "count.txt", "r+")
ThumbcounterFile = File.new(ThumbDir + "count.txt", "r+")

newImageFilename = ImagecounterFile.read.strip.to_s.succ
newThumbFilename = ThumbcounterFile.read.strip.to_s.succ

ImagecounterFile.close()
ThumbcounterFile.close()

ImagecounterFile = File.new(ImagesDir + "count.txt", "w")
ThumbcounterFile = File.new(ThumbDir + "count.txt", "w")

ImagecounterFile.write(newImageFilename)
ThumbcounterFile.write(newThumbFilename)
ImagecounterFile.close()
ThumbcounterFile.close()

i_type, i_width, i_height, i_extension = []
t_type, t_width, t_height, t_extension = []

image = Image::Info.new Imagefile
thumb = Image::Info.new Thumbfile

i_type, i_width, i_height, i_extension = image.type, image.width, image.height, image.extension
t_type, t_width, t_height, t_extension = thumb.type, thumb.width, thumb.height, thumb.extension

i_path = "/images/models/images/" + newImageFilename + i_extension
                t_path = "/images/models/thumbnails/" + newThumbFilename + t_extension

#-------------- This Line causes An Error
newImageFile = File.new(ImagesDir + newImageFilename + i_extension, "w")
newThumbFile = File.new(ThumbDir + newThumbFilename + t_extension, "w")

newImageFile.write(Imagefile)
newThumbFile.write(Thumbfile)
newImageFile.close()
newThumbFile.close()



Sat, 06 Aug 2005 23:13:27 GMT  
 $SAFE and creating New objects (File)
R>>              newImageFilename =
R>> ImagecounterFile.read.strip.to_s.succ
R>>              newThumbFilename =
R>> ThumbcounterFile.read.strip.to_s.succ

t>  These 2 String are tainted, they are read from a file.
t>  Normally you need a lock, or your counter can have problems.
Counter works properly...
Lock?



Sat, 06 Aug 2005 23:39:08 GMT  
 $SAFE and creating New objects (File)

Quote:
>>>>> "R" == \"RayZ\" Andrew V Rumm <RayZ> writes:

R> Counter works properly...
R> Lock?

 This is in case where 2 CGI scripts try to read/write in the same counter
 file at the same time

 The file can be corrupted, you must normally use a lock

pigeon% ri File#flock
------------------------------------------------------------- File#flock
     file.flock ( aLockingConstant ) -> 0 or false
------------------------------------------------------------------------
     Locks or unlocks a file according to aLockingConstant (a logical or
     of the values in Table 22.4 on page 312). Returns false if
     File::LOCK_NB is specified and the operation would otherwise have
     blocked. Not available on all platforms.
        File.new("testfile").flock(File::LOCK_UN)   #=> 0

pigeon%

Guy Decoux



Sat, 06 Aug 2005 23:47:02 GMT  
 $SAFE and creating New objects (File)
Hi,

In message "Re: $SAFE and creating New objects (File)"

|/bhome/part2/01/gloria/vcgi/_admin/processmodel.rb:68:in `initialize': Insecure operation - initialize (SecurityError)
|        from /bhome/part2/01/gloria/vcgi/_admin/processmodel.rb:68:in `new'
|        from /bhome/part2/01/gloria/vcgi/_admin/processmodel.rb:68
|        from /bhome/part2/01/gloria/ruby/lib/ruby/1.6/apache/ruby-run.rb:70:in `load'
|        from /bhome/part2/01/gloria/ruby/lib/ruby/1.6/apache/ruby-run.rb:70:in `handler'
|        from ruby:0
|
|
|Error at
|newImageFile = File.new(ImagesDir + newImageFilename + i_extension, "w")

This implies either ImagesDir, newImageFilename, i_extension is
tainted.  I can't tell further.

                                                        matz.



Sat, 06 Aug 2005 23:54:57 GMT  
 $SAFE and creating New objects (File)
Hello Idan,


IS> Trying to create
IS> new file and there an Insecure operation error.> SomeFile =
IS> File.new("someFileName", "w")> What must i do then?Is the filename
IS> is from GPC(Get/Post/Cookie) origin?

yup. From post



Sat, 27 Aug 2005 23:12:03 GMT  
 
 [ 17 post ]  Go to page: [1] [2]

 Relevant Pages 

1. $SAFE and creating New objects (File) again

2. function-objects and code-objects ( was: re-creating objects and security )

3. Using REXX to create new objects in OS/2 with Desktop Observatory

4. How2 create new Object Class in ASM

5. Question: How to only create new object instances?

6. how can i create a shared library which mixes some cobol and c object files

7. How I create a new file. ( .\CS\FILENAME)

8. C5EE - Creating New APP File Problem

9. Tagging Records In A File Loaded Browse Without Creating A New DB Field

10. prefix of new file created at runtime

11. Info on creating new file drivers

12. NEW NEW NEW CA Visual Objects 2.5 Trial Version ist avaiable

 

 
Powered by phpBB® Forum Software