view · edit · sidebar · attach · print · history

20121024-oddb2xml-spec-recall-rss-importer-job

<< | Index | >>

Summary

  • update spec oddb2xml
  • Fixed tainted path in sbsm Request

Commits

oddb2xml
sbsm

Index

Recall RSS import job

Session#passthru for static rss file dose not work in Local.

Ref.

Apache got this error. 

ODDB-Client-Error: Insecure operation - expand_path
SecurityError
/path/to/gems/sbsm-1.1.8/lib/sbsm/request.rb:172:in `expand_path'
/path/to/gems/sbsm-1.1.8/lib/sbsm/request.rb:172:in `drb_process'
/path/to/gems/sbsm-1.1.8/lib/sbsm/request.rb:65:in `process'
/var/www/ch.oddb.org/doc/index.rbx:21:in `<top (required)>'
/usr/lib64/ruby/1.9.1/apache/ruby-run.rb:53:in `load'
/usr/lib64/ruby/1.9.1/apache/ruby-run.rb:53:in `handler'

in :sbsm/lib/sbsm/request.rb: 

	# the variable @passthru is set by a trusted source
	basename = File.basename(@passthru)
       p @passthru
       p @passthru.tainted?
       p @request.server.document_root
       p @request.server.document_root.tainted?
	fullpath = File.expand_path(@passthru,
		@request.server.document_root)
	fullpath.untaint

>>

"/path/to/ch.oddb.org/data/rss/de/fachinfo.rss"
true
"/var/www/ch.oddb.org/doc"
true

Dose Apache of Production Server use Ruby 1.8 ?

Fixed this problem.

commit

NOTE

[Wed Oct 24 15:33:03 2012] [error] [client 127.0.0.1] client denied by server configuration: /path/to/ch.oddb.org/data/rss/de/price_rise.rss, referer: http://ch.oddb.yasuhiro.org

Create pseudo rss file via Job.

oddb.org has not Object of Recall Information in Database.
I will write paresd Text into rss file, directly.

First, Created sample job for rss file creation.

view · edit · sidebar · attach · print · history
Page last modified on October 24, 2012, at 09:53 AM