public
Last active

open-uri https redirect fix in ruby

  • Download Gist
open-uri redirectable
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
MIME-Version: 1.0
Received: by 10.52.73.106 with HTTP; Mon, 30 Jan 2012 07:18:51 -0800 (PST)
Date: Mon, 30 Jan 2012 16:18:51 +0100
Delivered-To: azet@azet.org
Message-ID: <CAN8NK9HxUcLK2CK8zeWniUYkejcWraORxy-D+jc1kZtYZWbsnA@mail.gmail.com>
Subject: bugfix in open-uri redirects (ruby)
From: Aaron Zauner <azet@azet.org>
To: Tanaka Akira <akr@m17n.org>
Content-Type: text/plain; charset=ISO-8859-1
 
hi,
 
open-uri raises an exception if an http/s redirect refers to https.
 
quickfix:
--code--
# this is taken from the original ruby open-uri class,
# fixed this to support secure socket http redirects:
def OpenURI.redirectable?(uri1, uri2) # :nodoc:
# This test is intended to forbid a redirection from http://... to
# file:///etc/passwd.
# However this is ad hoc. It should be extensible/configurable.
uri1.scheme.downcase == uri2.scheme.downcase ||
(/\A(?:http|ftp|https)\z/i =~ uri1.scheme && /\A(?:http|ftp|https)\z/i =~
uri2.scheme)
end
--code--
 
(just added https to the regex. check)
 
so long,
azet
open-uri redirectable?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
MIME-Version: 1.0
Received: by 10.52.73.106 with HTTP; Mon, 30 Jan 2012 07:18:51 -0800 (PST)
Date: Mon, 30 Jan 2012 16:18:51 +0100
Delivered-To: azet@azet.org
Message-ID: <CAN8NK9HxUcLK2CK8zeWniUYkejcWraORxy-D+jc1kZtYZWbsnA@mail.gmail.com>
Subject: bugfix in open-uri redirects (ruby)
From: Aaron Zauner <azet@azet.org>
To: Tanaka Akira <akr@m17n.org>
Content-Type: text/plain; charset=ISO-8859-1
 
hi,
 
open-uri raises an exception if an http/s redirect refers to https.
 
quickfix:
--code--
# this is taken from the original ruby open-uri class,
# fixed this to support secure socket http redirects:
def OpenURI.redirectable?(uri1, uri2) # :nodoc:
# This test is intended to forbid a redirection from http://... to
# file:///etc/passwd.
# However this is ad hoc. It should be extensible/configurable.
uri1.scheme.downcase == uri2.scheme.downcase ||
(/\A(?:http|ftp|https)\z/i =~ uri1.scheme && /\A(?:http|ftp|https)\z/i =~
uri2.scheme)
end
--code--
 
(just added https to the regex. check)
 
so long,
azet

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.