From: merch-redmine@... Date: 2019-06-02T03:52:05+00:00 Subject: [ruby-core:92926] [Ruby trunk Misc#15893] open-uri: URI.open status Issue #15893 has been updated by jeremyevans0 (Jeremy Evans). Assignee set to akr (Akira Tanaka) Status changed from Open to Assigned File deprecate-open-uri-kernel-open.patch added While the conversion from `open` or `Kernel.open` to `URI.open` is simple, this is likely to break a lot of existing Ruby code. However, I can see the security advantages of deprecating this, as having `open` implicitly open URIs is a security footgun. For that reason, I am in favor of the deprecation and eventual removal. akr is the maintainer of `open-uri`, so I'm assigning this to him. In case he decides to deprecate this, attached is a patch for the deprecation. It makes `Kernel.open` call `URI.open` in cases where `URI.open` would handle it, warning in that case. To avoid warning when calling `Kernel.open` with a `Pathname` instance, it does not delegate to `URI.open` if the object responds to `to_path`. ---------------------------------------- Misc #15893: open-uri: URI.open status https://bugs.ruby-lang.org/issues/15893#change-78301 * Author: zverok (Victor Shepelev) * Status: Assigned * Priority: Normal * Assignee: akr (Akira Tanaka) ---------------------------------------- On the one hand, Ruby 2.5's NEWS [stated](https://github.com/ruby/ruby/commit/bf287424fd00c0304c836525bb52d89fc1f4a84a#diff-ff4e2dc4962dc25a1512353299992c8dR298): > URI.open method defined as an alias to open-uri's Kernel.open. open-uri's Kernel.open will be deprecated in future. I believe there were good reasons for that decision. On the other hand, * no movements in this direction were done since 2.5 * `URI.open` [is excluded](https://github.com/ruby/ruby/blob/trunk/lib/open-uri.rb#L43) from `open-uri`'s docs, and the main library's [documentation](https://ruby-doc.org/stdlib-2.5.0/libdoc/open-uri/rdoc/OpenURI.html) doesn't mention this option as preferred or even existing. I'd like to know what the real status of this library and its migration to (safer) `URI.open`? Should a patch be provided to change the library's docs accordingly? Maybe even change the code (still leaving `Kernel.open` option, but just as an alias, moving the implementation away from that method)? ---Files-------------------------------- deprecate-open-uri-kernel-open.patch (21.3 KB) -- https://bugs.ruby-lang.org/ Unsubscribe: