Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[OpenURI] Reworked support for http to https redirects.
- Loading branch information
1 parent
fcf0b37
commit 314f271
Showing
4 changed files
with
16 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -1,40 +1,22 @@ | |||
require 'open-uri' | require 'open-uri' | ||
|
|||
# Inspiration from: https://gist.github.com/1271420 | |||
# | # | ||
# From: https://gist.github.com/1271420 | # Allow open-uri to follow http to https redirects. | ||
# | |||
# Allow open-uri to follow unsafe redirects (i.e. https to http). | |||
# Relevant issue: | # Relevant issue: | ||
# http://redmine.ruby-lang.org/issues/3719 | # http://redmine.ruby-lang.org/issues/3719 | ||
# Source here: | # Source here: | ||
# https://github.com/ruby/ruby/blob/trunk/lib/open-uri.rb | # https://github.com/ruby/ruby/blob/trunk/lib/open-uri.rb | ||
module OpenURI | |||
class <<self | |||
alias_method :open_uri_original, :open_uri | |||
alias_method :redirectable_cautious?, :redirectable? | |||
|
|||
def redirectable_baller? uri1, uri2 | |||
valid = /\A(?:https?|ftp)\z/i | |||
valid =~ uri1.scheme.downcase && valid =~ uri2.scheme | |||
end | |||
end | |||
|
|||
# The original open_uri takes *args but then doesn't do anything with them. | |||
# Assume we can only handle a hash. | |||
def self.open_uri name, options = {}, &block | |||
value = options.delete :allow_unsafe_redirects | |||
|
|
||
if value | module OpenURI | ||
class <<self | def OpenURI.redirectable?(uri1, uri2) # :nodoc: | ||
remove_method :redirectable? | # This test is intended to forbid a redirection from http://... to | ||
alias_method :redirectable?, :redirectable_baller? | # file:///etc/passwd, file:///dev/zero, etc. CVE-2011-1521 | ||
end | # https to http redirect is also forbidden intentionally. | ||
else | # It avoids sending secure cookie or referer by non-secure HTTP protocol. | ||
class <<self | # (RFC 2109 4.3.1, RFC 2965 3.3, RFC 2616 15.1.3) | ||
remove_method :redirectable? | # However this is ad hoc. It should be extensible/configurable. | ||
alias_method :redirectable?, :redirectable_cautious? | uri1.scheme.downcase == uri2.scheme.downcase || | ||
end | (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:https?|ftp)\z/i =~ uri2.scheme) | ||
end | |||
|
|||
self.open_uri_original name, options, &block | |||
end | end | ||
end | end |