[OpenURI] Reworked support for http to https redirects.

CocoaPods · Aug 22, 2012 · 314f271 · 314f271
1 parent fcf0b37
commit 314f271
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 33 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 ###### Bug fixes
 
 - The final project isn’t affected anymore by the `inhibit_all_warnings!` option.
+- Support for redirects while using podspec from an url. [#462](https://github.com/CocoaPods/CocoaPods/issues/462)
 
 ## 0.12.0
 

diff --git a/lib/cocoapods/dependency.rb b/lib/cocoapods/dependency.rb
@@ -192,7 +192,7 @@ def copy_external_source_into_sandbox(sandbox, _)
           output_path = sandbox.root + "Local Podspecs/#{name}.podspec"
           output_path.dirname.mkpath
           puts "  * Fetching podspec for `#{name}' from: #{@params[:podspec]}" unless config.silent?
-          open(@params[:podspec], {:allow_unsafe_redirects => true}) do |io|
+          open(@params[:podspec]) do |io|
             output_path.open('w') { |f| f << io.read }
           end
         end

diff --git a/lib/cocoapods/executable.rb b/lib/cocoapods/executable.rb
@@ -40,7 +40,7 @@ def executable(name)
           if should_raise
             raise Informative, "#{name} #{command}\n\n#{output}"
           else
-            puts (Config.instance.verbose? ? '   ' : '') << "[!] Failed: #{full_command}".red unless Config.instance.silent?
+            puts((Config.instance.verbose? ? '   ' : '') << "[!] Failed: #{full_command}".red) unless Config.instance.silent?
           end
         end
         output

diff --git a/lib/cocoapods/open_uri.rb b/lib/cocoapods/open_uri.rb
@@ -1,40 +1,22 @@
 require 'open-uri'
+
+# Inspiration from: https://gist.github.com/1271420
 #
-# From: https://gist.github.com/1271420
+# Allow open-uri to follow http to https redirects.
-#
-# Allow open-uri to follow unsafe redirects (i.e. https to http).
 # Relevant issue:
 # http://redmine.ruby-lang.org/issues/3719
 # Source here:
 # https://github.com/ruby/ruby/blob/trunk/lib/open-uri.rb
-module OpenURI
-  class <<self
-    alias_method :open_uri_original, :open_uri
-    alias_method :redirectable_cautious?, :redirectable?
-
-    def redirectable_baller? uri1, uri2
-      valid = /\A(?:https?|ftp)\z/i
-      valid =~ uri1.scheme.downcase && valid =~ uri2.scheme
-    end
-  end
-
-  # The original open_uri takes *args but then doesn't do anything with them.
-  # Assume we can only handle a hash.
-  def self.open_uri name, options = {}, &block
-    value = options.delete :allow_unsafe_redirects
 
-    if value
+module OpenURI
-      class <<self
+  def OpenURI.redirectable?(uri1, uri2) # :nodoc:
-        remove_method :redirectable?
+    # This test is intended to forbid a redirection from http://... to
-        alias_method :redirectable?, :redirectable_baller?
+    # file:///etc/passwd, file:///dev/zero, etc.  CVE-2011-1521
-      end
+    # https to http redirect is also forbidden intentionally.
-    else
+    # It avoids sending secure cookie or referer by non-secure HTTP protocol.
-      class <<self
+    # (RFC 2109 4.3.1, RFC 2965 3.3, RFC 2616 15.1.3)
-        remove_method :redirectable?
+    # However this is ad hoc.  It should be extensible/configurable.
-        alias_method :redirectable?, :redirectable_cautious?
+    uri1.scheme.downcase == uri2.scheme.downcase ||
-      end
+    (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:https?|ftp)\z/i =~ uri2.scheme)
-    end
-
-    self.open_uri_original name, options, &block
   end
 end