/api/ is insecurely redirecting to http://bundler.rubygems.org/api/ #548

Closed
postmodern opened this Issue Mar 22, 2013 · 5 comments

Comments

Projects
None yet
4 participants
@postmodern
Contributor

postmodern commented Mar 22, 2013

While testing the new Ronin SSL MITM Proxy against bundler 1.2.4, I noticed that all requests to https://rubygems.org/api/ were being redirected to http://bundler.rubygems.org/api/.

127.0.0.1:59208 -> 0.0.0.0:1337 <-> rubygems.org:443
GET /api/v1/dependencies?gems=highline,allison,rcov,rdoc HTTP/1.1
Accept: */*
User-Agent: Ruby
Connection: keep-alive
Keep-Alive: 30
Host: localhost:1337

127.0.0.1:59208 <- 0.0.0.0:1337 <-> rubygems.org:443
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 22 Mar 2013 21:46:02 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: http://bundler.rubygems.org/api/v1/dependencies?gems=highline,allison,rcov,rdoc

<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
127.0.0.1:59208 -> 0.0.0.0:1337 <-> rubygems.org:443
GET /api/v1/dependencies?gems=termios HTTP/1.1
Accept: */*
User-Agent: Ruby
Connection: keep-alive
Keep-Alive: 30
Host: localhost:1337

127.0.0.1:59208 <- 0.0.0.0:1337 <-> rubygems.org:443
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 22 Mar 2013 21:46:02 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: http://bundler.rubygems.org/api/v1/dependencies?gems=termios

<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
@postmodern

This comment has been minimized.

Show comment Hide comment
@postmodern

postmodern Mar 22, 2013

Contributor

Looks like @dwradcliffe already fixed this but it never got pushed to production.
rubygems/rubygems-aws@3cbd850

Contributor

postmodern commented Mar 22, 2013

Looks like @dwradcliffe already fixed this but it never got pushed to production.
rubygems/rubygems-aws@3cbd850

@indirect

This comment has been minimized.

Show comment Hide comment
@indirect

indirect Mar 22, 2013

Owner

I don't think bundler.rubygems.org has the SSL certs installed yet. :/

On Mar 22, 2013, at 3:03 PM, Postmodern notifications@github.com wrote:

Looks like @dwradcliffe already fixed this but it never got pushed to production.
rubygems/rubygems-aws@3cbd850


Reply to this email directly or view it on GitHub.

Owner

indirect commented Mar 22, 2013

I don't think bundler.rubygems.org has the SSL certs installed yet. :/

On Mar 22, 2013, at 3:03 PM, Postmodern notifications@github.com wrote:

Looks like @dwradcliffe already fixed this but it never got pushed to production.
rubygems/rubygems-aws@3cbd850


Reply to this email directly or view it on GitHub.

@postmodern

This comment has been minimized.

Show comment Hide comment
@postmodern

postmodern Mar 22, 2013

Contributor

bundler.rubygems.org appears to be using the *.rubygems.org cert issued by RapidSSL.

Contributor

postmodern commented Mar 22, 2013

bundler.rubygems.org appears to be using the *.rubygems.org cert issued by RapidSSL.

@gonzoyumo

This comment has been minimized.

Show comment Hide comment
@gonzoyumo

gonzoyumo Mar 23, 2013

+1
I was pointing it one month ago on mailing list but no-one answered: https://groups.google.com/forum/?fromgroups=#!topic/rubygems-org/K0B8WRlICk0

+1
I was pointing it one month ago on mailing list but no-one answered: https://groups.google.com/forum/?fromgroups=#!topic/rubygems-org/K0B8WRlICk0

@dwradcliffe

This comment has been minimized.

Show comment Hide comment
@dwradcliffe

dwradcliffe Mar 23, 2013

Owner

Fixed in production.

Owner

dwradcliffe commented Mar 23, 2013

Fixed in production.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment