From: shyouhei@...
Date: 2017-06-02T15:28:00+00:00
Subject: [ruby-core:81533] [Ruby trunk Feature#3719][Closed] open-uri should allow redirects from http to https

Issue #3719 has been updated by shyouhei (Shyouhei Urabe).

Status changed from Assigned to Closed

OK, Closing. Thank you.

----------------------------------------
Feature #3719: open-uri should allow redirects from http to https
https://bugs.ruby-lang.org/issues/3719#change-65238

* Author: hansdegraaff (Hans de Graaff)
* Status: Closed
* Priority: Normal
* Assignee: akr (Akira Tanaka)
* Target version: next minor
----------------------------------------
=begin
 Currently open-uri does not allow redirects from http to https. http://redmine.ruby-lang.org/repositories/revision/1?rev=21381 reverts the ability to redirect between http and https with a note that this may compromise security, but as far as I can tell this is only true for https -> http redirects. Redirecting from http -> https should not pose such security problems and could still be allowed. This can be accomplished by allowing https for the destination URL, but not for the source URL:
 
 +  def OpenURI.redirectable?(uri1, uri2) # :nodoc:
 +    # This test is intended to forbid a redirection from http://... to
 +    # file:///etc/passwd.
 +    # However this is ad hoc.  It should be extensible/configurable.
 +    uri1.scheme.downcase == uri2.scheme.downcase ||
 +      (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:https?|ftp)\z/i =~ uri2.scheme)
 +  end
 
 I'm seeing this issue with ruby 1.8.7 but the code for ruby 1.9.2 is the same.
=end




-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>