Feature #859
closed
open-uri doesn't allow redirection to https
Added by romanbsd (Roman Shterenzon) almost 17 years ago. Updated over 8 years ago.
Description
=begin
Only ftp and http are checked in regex in OpenURI.redirectable? method.
Please see the attached patch.
=end
Files
| open-uri.rb.patch (547 Bytes) open-uri.rb.patch | romanbsd (Roman Shterenzon), 12/12/2008 03:16 AM |
Updated by shyouhei (Shyouhei Urabe) over 16 years ago
Actions
#1
- Assignee set to akr (Akira Tanaka)
=begin
=end
Updated by akr (Akira Tanaka) over 16 years ago
Actions
#2
- ruby -v set to -
=begin
[ruby-core:21203]
=end
Updated by romanbsd (Roman Shterenzon) over 16 years ago
Actions
#3
=begin
Originally reported on:
ruby 1.8.7 (2008-08-11 patchlevel 72) [i686-linux]
=end
Updated by romanbsd (Roman Shterenzon) over 16 years ago
Actions
#4
=begin
I quote from [ruby-core:21234] :
But first of all the HTTP --> HTTPS redirection should be still considered ok.
Regarding the other way, well, the Referer should be set to the URL that redirected us. I believe this is not currently implemented. As for cookies, AFAIK there's no direct support for cookies in Net::HTTP nor open-uri, so if the programmer wants to use cookies, she has to set it manually via a "Cookie" header. And since no support for cookies as per RFC2109 is in place, no security measures are implemented. So for example one URL can redirect to other (also HTTP) URL, which is in another domain, and the cookie (actually header) will be sent anyway. So the fact that the "secure" attribute of cookie is unsupported diminishes in light of this. Therefor I think that redirecting from HTTPS to HTTP should be considered ok too.
=end
Updated by nobu (Nobuyoshi Nakada) about 16 years ago
Actions
#5
=begin
Hi,
At Tue, 3 Feb 2009 17:53:36 +0900,
Roman Shterenzon wrote in [ruby-core:21797]:
I quote from [ruby-core:21234] :
But first of all the HTTP --> HTTPS redirection should be still considered ok.
Then your previous patch is wrong.
Index: lib/open-uri.rb¶
--- lib/open-uri.rb (revision 24735)
+++ lib/open-uri.rb (working copy)
@@ -241,5 +241,5 @@ module OpenURI
# However this is ad hoc. It should be extensible/configurable.
uri1.scheme.downcase == uri2.scheme.downcase ||
- (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:http|ftp)\z/i =~ uri2.scheme)
- (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:https?|ftp)\z/i =~ uri2.scheme)
end
--
Nobu Nakada
=end
Updated by shyouhei (Shyouhei Urabe) about 16 years ago
Actions
#6
- Status changed from Open to Closed
=begin
=end
Updated by xaviershay (Xavier Shay) over 14 years ago
Actions
#7
[ruby-core:36302]
Why was this closed? This bug is still present in trunk. A patch was reverted in r21381, but it was not the patch that Nobuyoshi has proposed, and there was no indication as to why it was reverted (my guess is because it allowed https -> http redirection).
Updated by naruse (Yui NARUSE) over 14 years ago
Actions
#8
[ruby-core:36303]
- Status changed from Closed to Assigned
- Priority changed from 3 to Normal
Updated by nahi (Hiroshi Nakamura) over 14 years ago
Actions
#9
[ruby-core:37444]
- Target version set to 1.9.3
Tanaka-san, please handle this.
Updated by nahi (Hiroshi Nakamura) over 14 years ago
Actions
#10
[ruby-core:38584]
Akr, I think we agreed that http -> https redirection is OK. If you don't like ad-hoc change for 1.9.3, I can do that uglish thing instead of you. :) Do you mind if I'd do that?
Updated by akr (Akira Tanaka) about 14 years ago
Actions
#11
[ruby-core:38652]
- Target version changed from 1.9.3 to 2.0.0
I'd like generic solution. Especially because open-uri doesn't provide a way to specify headers for each request for redirection.
Updated by jaimeiniesta (Jaime Iniesta) almost 13 years ago
Actions
#12
[ruby-core:50530]
I've packed this patch as a gem:
Updated by mame (Yusuke Endoh) almost 13 years ago
Actions
#13
- Tracker changed from Bug to Feature
Updated by mame (Yusuke Endoh) almost 13 years ago
Actions
#14
[ruby-core:50711]
- Target version changed from 2.0.0 to 2.6
Updated by naruse (Yui NARUSE) almost 11 years ago
Actions
#15
[ruby-core:66032]
FYI, HTML5 defines whether it should redirect or not:
http://www.w3.org/TR/2014/REC-html5-20141028/infrastructure.html#processing-model
Updated by cabo (Carsten Bormann) about 9 years ago
Actions
#16
[ruby-core:77086]
A typical example of the consequences of this 7-year old bug is https://github.com/cabo/kramdown-rfc2629/issues/27
Please wake up and fix this. Now.
Updated by akr (Akira Tanaka) about 9 years ago
Actions
#17
- Status changed from Assigned to Closed
Applied in changeset r56085.
lib/open-uri.rb: Allow http to https redirection.
- lib/open-uri.rb: Allow http to https redirection.
Note that https to http is still forbidden.
[ruby-core:20485] [Feature #859] by Roman Shterenzon.