From: Hans de Graaff <redmine@...>
Date: 2010-08-19T18:15:31+09:00
Subject: [ruby-core:31771] [Bug #3719] open-uri should allow redirects from http to https

Bug #3719: open-uri should allow redirects from http to https
http://redmine.ruby-lang.org/issues/show/3719

Author: Hans de Graaff
Status: Open, Priority: Normal
Category: lib
ruby -v: 1.8.7

Currently open-uri does not allow redirects from http to https. http://redmine.ruby-lang.org/repositories/revision/1?rev=21381 reverts the ability to redirect between http and https with a note that this may compromise security, but as far as I can tell this is only true for https -> http redirects. Redirecting from http -> https should not pose such security problems and could still be allowed. This can be accomplished by allowing https for the destination URL, but not for the source URL:

+  def OpenURI.redirectable?(uri1, uri2) # :nodoc:
+    # This test is intended to forbid a redirection from http://... to
+    # file:///etc/passwd.
+    # However this is ad hoc.  It should be extensible/configurable.
+    uri1.scheme.downcase == uri2.scheme.downcase ||
+      (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:https?|ftp)\z/i =~ uri2.scheme)
+  end

I'm seeing this issue with ruby 1.8.7 but the code for ruby 1.9.2 is the same.


----------------------------------------
http://redmine.ruby-lang.org