Jens Krämer

Passenger versus safe_erb

 |  security, mod_rails, ruby, rails

Today I had some fun tracking down a weird problem with safe_erb. While everything worked fine running Mongrel in development mode, safe_erb complained about outputting tainted strings for every link generated by Rails’ link_to and URL helpers running on mod_rails in production mode.

Some digging around led me to the root of the problem - in production my app needs to live inside a subdirectory and so I used Passengers RailsBaseURI directive to tell it so. The value configured this way ends up tainted in AbstractRequest’s relative_url_root for some reason, which in turn makes every URL generated by Rails tainted.


class ActionController::AbstractRequest def relative_url_root_with_untaint relroot = relative_url_root_without_untaint relroot.untaint if relroot =~ /^\/[a-zA-Z0-9]*$/ or relroot.blank? return relroot end alias_method_chain :relative_url_root, :untaint end

This untaints the relative_url_root value if it matches the regexp. Place into application.rb or some file that is required during application startup to fix the problem. I’m still not sure whether this is a bug and if so, whose bug it is - should (if possible at all) mod_rails untaint this value in the first place, or is it a bug with Rails not escaping something somewhere?

The fact that URLs used with Rails’ form helpers didn’t yield safe_erb errors, but those supplied to link_to did makes me think that there’s at least some inconsistency in the way URLs are treated by Rails’ helpers…


You can use Markdown here.

For the sake of spam checking any data you submit, including your IP address, will be transferred to the US based Akismet web service ( If that's not acceptable for you, you can also reach me by other means.