Project

General

Profile

Actions

Feature #3719

closed

open-uri should allow redirects from http to https

Added by hansdegraaff (Hans de Graaff) about 14 years ago. Updated over 7 years ago.

Status:
Closed
Target version:
[ruby-core:31771]

Description

=begin
Currently open-uri does not allow redirects from http to https. http://redmine.ruby-lang.org/repositories/revision/1?rev=21381 reverts the ability to redirect between http and https with a note that this may compromise security, but as far as I can tell this is only true for https -> http redirects. Redirecting from http -> https should not pose such security problems and could still be allowed. This can be accomplished by allowing https for the destination URL, but not for the source URL:

  • def OpenURI.redirectable?(uri1, uri2) # :nodoc:
  • This test is intended to forbid a redirection from http://... to

  • file:///etc/passwd.

  • However this is ad hoc. It should be extensible/configurable.

  • uri1.scheme.downcase == uri2.scheme.downcase ||
  •  (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:https?|ftp)\z/i =~ uri2.scheme)
    
  • end

I'm seeing this issue with ruby 1.8.7 but the code for ruby 1.9.2 is the same.
=end

Actions #1

Updated by shyouhei (Shyouhei Urabe) about 14 years ago

  • Status changed from Open to Assigned
  • Assignee set to akr (Akira Tanaka)

=begin

=end

Updated by josephholsten (Joseph Holsten) over 13 years ago

=begin
I'm still seeing this issue. I like the way this patch works, allowing redirection from http to https but not the other way.

What needs to happen for this to be applied?
=end

Updated by mame (Yusuke Endoh) almost 12 years ago

  • Description updated (diff)
  • Target version set to 2.6

Updated by akr (Akira Tanaka) over 11 years ago

  • Parent task set to #859
Actions #5

Updated by gary4gar (Gaurish Sharma) over 9 years ago

I am wondering, What's the status of this? if help is required to push this forward. I am willing to help

Updated by cabo (Carsten Bormann) over 7 years ago

  • Parent task deleted (#859)

With #859 fixed (thank you!), can this now be closed?

Updated by cabo (Carsten Bormann) over 7 years ago

(I have no idea why I deleted the parent task, sorry about that.)

Updated by shyouhei (Shyouhei Urabe) over 7 years ago

  • Status changed from Assigned to Closed

OK, Closing. Thank you.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0Like0