Passenger versus safe_erb
Today I had some fun tracking down a weird problem with
safe_erb. While everything worked fine running Mongrel in development mode,
safe_erb complained about outputting tainted strings for every link generated by Rails’
link_to and URL helpers running on mod_rails in production mode.
Some digging around led me to the root of the problem - in production my app needs to live inside a subdirectory and so I used Passengers
RailsBaseURI directive to tell it so. The value configured this way ends up tainted in AbstractRequest’s
relative_url_root for some reason, which in turn makes every URL generated by Rails tainted.
relroot = relative_url_root_without_untaint
relroot.untaint if relroot =~ /^\/[a-zA-Z0-9]*$/ or relroot.blank?
alias_method_chain :relative_url_root, :untaint
This untaints the
relative_url_root value if it matches the regexp. Place into application.rb or some file that is required during application startup to fix the problem. I’m still not sure whether this is a bug and if so, whose bug it is - should (if possible at all)
mod_rails untaint this value in the first place, or is it a bug with Rails not escaping something somewhere?
The fact that URLs used with Rails’ form helpers didn’t yield
safe_erb errors, but those supplied to
link_to did makes me think that there’s at least some inconsistency in the way URLs are treated by Rails’ helpers…