From: Roman Shterenzon <romanbsd@...>
Date: 2009-01-09T20:46:27+09:00
Subject: [ruby-core:21234] Re: Small bug in openuri

I understand your concern.

But first of all the HTTP --> HTTPS redirection should be still considered ok.

Regarding the other way, well, the Referer should be set to the URL that redirected us. I believe this is not currently implemented. As for cookies, AFAIK there's no direct support for cookies in Net::HTTP nor open-uri, so if the programmer wants to use cookies, she has to set it manually via a "Cookie" header. And since no support for cookies as per RFC2109 is in place, no security measures are implemented. So for example one URL can redirect to other (also HTTP) URL, which is in another domain, and the cookie (actually header) will be sent anyway. So the fact that the "secure" attribute of cookie is unsupported diminishes in light of this. Therefor I think that redirecting from HTTPS to HTTP should be considered ok too.


--Roman

----- Original Message ----
From: Tanaka Akira <akr@fsij.org>
To: ruby-core@ruby-lang.org
Sent: Thursday, January 8, 2009 12:48:51 AM
Subject: [ruby-core:21205] Re: Small bug in openuri

In article <588414.19322.qm@web110813.mail.gq1.yahoo.com>,
  Roman Shterenzon <romanbsd@yahoo.com> writes:

> It's really small and simple bug, please commit it if it makes sense (ruby-core:20485)

> http://redmine.ruby-lang.org/issues/show/859

It has subtle issue.

If it is permitted, open-uri copy headers for https to http.
The headers may contain secure cookie or referer which
should not copy.
-- 
Tanaka Akira