Permalink
Browse files

[OpenURI] Reworked support for http to https redirects.

  • Loading branch information...
fabiopelosin committed Aug 22, 2012
1 parent fcf0b37 commit 314f2717d700997fe0c3bab156041f06a79083dd
Showing with 16 additions and 33 deletions.
  1. +1 −0 CHANGELOG.md
  2. +1 −1 lib/cocoapods/dependency.rb
  3. +1 −1 lib/cocoapods/executable.rb
  4. +13 −31 lib/cocoapods/open_uri.rb
View
@@ -4,6 +4,7 @@
###### Bug fixes
- The final project isn’t affected anymore by the `inhibit_all_warnings!` option.
+- Support for redirects while using podspec from an url. [#462](https://github.com/CocoaPods/CocoaPods/issues/462)
## 0.12.0
@@ -192,7 +192,7 @@ def copy_external_source_into_sandbox(sandbox, _)
output_path = sandbox.root + "Local Podspecs/#{name}.podspec"
output_path.dirname.mkpath
puts " * Fetching podspec for `#{name}' from: #{@params[:podspec]}" unless config.silent?
- open(@params[:podspec], {:allow_unsafe_redirects => true}) do |io|
+ open(@params[:podspec]) do |io|
output_path.open('w') { |f| f << io.read }
end
end
@@ -40,7 +40,7 @@ def executable(name)
if should_raise
raise Informative, "#{name} #{command}\n\n#{output}"
else
- puts (Config.instance.verbose? ? ' ' : '') << "[!] Failed: #{full_command}".red unless Config.instance.silent?
+ puts((Config.instance.verbose? ? ' ' : '') << "[!] Failed: #{full_command}".red) unless Config.instance.silent?
end
end
output
View
@@ -1,40 +1,22 @@
require 'open-uri'
+
+# Inspiration from: https://gist.github.com/1271420
#
-# From: https://gist.github.com/1271420
-#
-# Allow open-uri to follow unsafe redirects (i.e. https to http).
+# Allow open-uri to follow http to https redirects.
# Relevant issue:
# http://redmine.ruby-lang.org/issues/3719
# Source here:
# https://github.com/ruby/ruby/blob/trunk/lib/open-uri.rb
-module OpenURI
- class <<self
- alias_method :open_uri_original, :open_uri
- alias_method :redirectable_cautious?, :redirectable?
-
- def redirectable_baller? uri1, uri2
- valid = /\A(?:https?|ftp)\z/i
- valid =~ uri1.scheme.downcase && valid =~ uri2.scheme
- end
- end
-
- # The original open_uri takes *args but then doesn't do anything with them.
- # Assume we can only handle a hash.
- def self.open_uri name, options = {}, &block
- value = options.delete :allow_unsafe_redirects
- if value
- class <<self
- remove_method :redirectable?
- alias_method :redirectable?, :redirectable_baller?
- end
- else
- class <<self
- remove_method :redirectable?
- alias_method :redirectable?, :redirectable_cautious?
- end
- end
-
- self.open_uri_original name, options, &block
+module OpenURI
+ def OpenURI.redirectable?(uri1, uri2) # :nodoc:
+ # This test is intended to forbid a redirection from http://... to
+ # file:///etc/passwd, file:///dev/zero, etc. CVE-2011-1521
+ # https to http redirect is also forbidden intentionally.
+ # It avoids sending secure cookie or referer by non-secure HTTP protocol.
+ # (RFC 2109 4.3.1, RFC 2965 3.3, RFC 2616 15.1.3)
+ # However this is ad hoc. It should be extensible/configurable.
+ uri1.scheme.downcase == uri2.scheme.downcase ||
+ (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:https?|ftp)\z/i =~ uri2.scheme)
end
end

0 comments on commit 314f271

Please sign in to comment.