From: akr@...
Date: 2017-10-21T09:06:53+00:00
Subject: [ruby-core:83438] [Ruby trunk Bug#5950][Closed] open-uri: https	redirect fix

Issue #5950 has been updated by akr (Akira Tanaka).

Status changed from Assigned to Closed
Parent task deleted (#859)

closed as [Feature #859]

----------------------------------------
Bug #5950: open-uri: https redirect fix 
https://bugs.ruby-lang.org/issues/5950#change-67407

* Author: azet (Aaron Zauner)
* Status: Closed
* Priority: Normal
* Assignee: akr (Akira Tanaka)
* Target version: 
* ruby -v: ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux] 
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN
----------------------------------------
open-uri raises an exception if a http/s redirect refers to https.


original mail to the maintainer with a quickfix: https://gist.github.com/1704932

--snip--
# this is taken from the original ruby open-uri class,
# fixed this to support secure socket http redirects:
def OpenURI.redirectable?(uri1, uri2) # :nodoc:
    # This test is intended to forbid a redirection from http://... to
    # file:///etc/passwd.
    # However this is ad hoc.  It should be extensible/configurable.
    uri1.scheme.downcase == uri2.scheme.downcase ||
    (/\A(?:http|ftp|https)\z/i =~ uri1.scheme && /\A(?:http|ftp|https)\z/i =~
uri2.scheme)
end
--snip--



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>