New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
uri: restrict setting protocol to file scheme #1832
Conversation
As file URLs cannot have username/password/port, we should not keep them when scheme is changed to file. Refs: whatwg/url#259
Isn’t this dangerous? Allowing from another scheme to What’s the use case? |
@paddor That's the current behaviour as you can try and this patch doesn't touch it. url = URI.parse('http://user:pass@example.com')
url.scheme = 'file'
puts url.to_s
# => file://user:pass@example.com File URL can not have username, password and port, and this patch is just about how we handle it. It is possible to raise an error when |
I'm just wondering, what's the use case? With or without this patch, setting the scheme to |
For example, it can use the path as file names when caching contents. If we specify the base URL, it is not dangerous so far. I'm also interested in discussing how the path should be handled between |
// We might also be possible to open a new issue for it on the tracker :) |
This seems much safer and intuitive to me (path sanitizing not included):
I do think it's dangerous, because the path could contain |
In my understanding, that e.g. new URL('http://example.com/../../../foo/bar')
// => http://example.com/foo/bar Either way, that seems reasonable to ask at the specification repository about what properties the parser should keep when the scheme is changed between file and http. I'm also curious what @nurse think on this since he seems to work hard on the parser of URI. |
It doesn't seem that way:
|
Wow really... Then I agree with you. Not a critical in a real world because of fewer use cases, but might not make sense to keep the path when the scheme is updated to file from http/https if we do not manage the relative path that can be shallower than the base path. |
* the default value of URI::File's authority is "" (localhost). Both nil and "localhost" is normalized to "" by default. * URI::File ignores setting userinfo and port [Feature #14035] fix ruby/ruby#1719 fic ruby/ruby#1832 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62767 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Hmm, 04883f1 says it fixes this but it failed due to typo. Let me close this. |
As file URLs cannot have username/password/port, we should not keep them when scheme is changed to file.
Refs: whatwg/url#259