Skip to content
This repository
Browse code

Merge branch 'open_uri'

* open_uri:
  [OpenURI] Reworked support for http to https redirects.
  [OpenURI] Support for unsafe redirects.
  • Loading branch information...
commit d2dd1f935463b369c22af2b23c791b86a9fe008f 2 parents 068d803 + 314f271
Fabio Pelosin irrationalfab authored
1  CHANGELOG.md
Source Rendered
@@ -10,6 +10,7 @@
10 10 ###### Bug fixes
11 11
12 12 - The final project isn’t affected anymore by the `inhibit_all_warnings!` option.
  13 +- Support for redirects while using podspec from an url. [#462](https://github.com/CocoaPods/CocoaPods/issues/462)
13 14
14 15 ## 0.12.0
15 16
2  lib/cocoapods/dependency.rb
... ... @@ -1,4 +1,4 @@
1   -require 'open-uri'
  1 +require 'cocoapods/open_uri'
2 2
3 3 module Pod
4 4 class Dependency < Gem::Dependency
2  lib/cocoapods/executable.rb
@@ -40,7 +40,7 @@ def executable(name)
40 40 if should_raise
41 41 raise Informative, "#{name} #{command}\n\n#{output}"
42 42 else
43   - puts (Config.instance.verbose? ? ' ' : '') << "[!] Failed: #{full_command}".red unless Config.instance.silent?
  43 + puts((Config.instance.verbose? ? ' ' : '') << "[!] Failed: #{full_command}".red) unless Config.instance.silent?
44 44 end
45 45 end
46 46 output
22 lib/cocoapods/open_uri.rb
... ... @@ -0,0 +1,22 @@
  1 +require 'open-uri'
  2 +
  3 +# Inspiration from: https://gist.github.com/1271420
  4 +#
  5 +# Allow open-uri to follow http to https redirects.
  6 +# Relevant issue:
  7 +# http://redmine.ruby-lang.org/issues/3719
  8 +# Source here:
  9 +# https://github.com/ruby/ruby/blob/trunk/lib/open-uri.rb
  10 +
  11 +module OpenURI
  12 + def OpenURI.redirectable?(uri1, uri2) # :nodoc:
  13 + # This test is intended to forbid a redirection from http://... to
  14 + # file:///etc/passwd, file:///dev/zero, etc. CVE-2011-1521
  15 + # https to http redirect is also forbidden intentionally.
  16 + # It avoids sending secure cookie or referer by non-secure HTTP protocol.
  17 + # (RFC 2109 4.3.1, RFC 2965 3.3, RFC 2616 15.1.3)
  18 + # However this is ad hoc. It should be extensible/configurable.
  19 + uri1.scheme.downcase == uri2.scheme.downcase ||
  20 + (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:https?|ftp)\z/i =~ uri2.scheme)
  21 + end
  22 +end

0 comments on commit d2dd1f9

Please sign in to comment.
Something went wrong with that request. Please try again.