Project

General

Profile

Misc #15893

open-uri: URI.open status

Added by zverok (Victor Shepelev) about 2 months ago. Updated 7 days ago.

Status:
Closed
Priority:
Normal
[ruby-core:92922]

Description

On the one hand, Ruby 2.5's NEWS stated:

URI.open method defined as an alias to open-uri's Kernel.open. open-uri's Kernel.open will be deprecated in future.

I believe there were good reasons for that decision.

On the other hand,

  • no movements in this direction were done since 2.5
  • URI.open is excluded from open-uri's docs, and the main library's documentation doesn't mention this option as preferred or even existing.

I'd like to know what the real status of this library and its migration to (safer) URI.open?
Should a patch be provided to change the library's docs accordingly?
Maybe even change the code (still leaving Kernel.open option, but just as an alias, moving the implementation away from that method)?


Files

deprecate-open-uri-kernel-open.patch (21.3 KB) deprecate-open-uri-kernel-open.patch jeremyevans0 (Jeremy Evans), 06/02/2019 03:46 AM

Associated revisions

Revision 05aac90a
Added by akr (Akira Tanaka) 7 days ago

Warn open-uri's "open" method at Kernel.

Use URI.open instead.

Thanks for the patch by jeremyevans0 (Jeremy Evans) [Misc #15893].

History

Updated by jeremyevans0 (Jeremy Evans) about 2 months ago

While the conversion from open or Kernel.open to URI.open is simple, this is likely to break a lot of existing Ruby code. However, I can see the security advantages of deprecating this, as having open implicitly open URIs is a security footgun. For that reason, I am in favor of the deprecation and eventual removal.

akr is the maintainer of open-uri, so I'm assigning this to him. In case he decides to deprecate this, attached is a patch for the deprecation. It makes Kernel.open call URI.open in cases where URI.open would handle it, warning in that case. To avoid warning when calling Kernel.open with a Pathname instance, it does not delegate to URI.open if the object responds to to_path.

#2

Updated by akr (Akira Tanaka) 7 days ago

  • Status changed from Assigned to Closed

Applied in changeset git|05aac90a1bcfeb180f5e78ea8b00a4d1b04d5eed.


Warn open-uri's "open" method at Kernel.

Use URI.open instead.

Thanks for the patch by jeremyevans0 (Jeremy Evans) [Misc #15893].

Also available in: Atom PDF