From: cabo@... Date: 2017-06-02T15:23:21+00:00 Subject: [ruby-core:81531] [Ruby trunk Feature#3719] open-uri should allow redirects from http to https Issue #3719 has been updated by cabo (Carsten Bormann). (I have no idea why I deleted the parent task, sorry about that.) ---------------------------------------- Feature #3719: open-uri should allow redirects from http to https https://bugs.ruby-lang.org/issues/3719#change-65236 * Author: hansdegraaff (Hans de Graaff) * Status: Assigned * Priority: Normal * Assignee: akr (Akira Tanaka) * Target version: next minor ---------------------------------------- =begin Currently open-uri does not allow redirects from http to https. http://redmine.ruby-lang.org/repositories/revision/1?rev=21381 reverts the ability to redirect between http and https with a note that this may compromise security, but as far as I can tell this is only true for https -> http redirects. Redirecting from http -> https should not pose such security problems and could still be allowed. This can be accomplished by allowing https for the destination URL, but not for the source URL: + def OpenURI.redirectable?(uri1, uri2) # :nodoc: + # This test is intended to forbid a redirection from http://... to + # file:///etc/passwd. + # However this is ad hoc. It should be extensible/configurable. + uri1.scheme.downcase == uri2.scheme.downcase || + (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:https?|ftp)\z/i =~ uri2.scheme) + end I'm seeing this issue with ruby 1.8.7 but the code for ruby 1.9.2 is the same. =end -- https://bugs.ruby-lang.org/ Unsubscribe: