Feature #3719
Feature #859: open-uri doesn't allow redirection to https
open-uri should allow redirects from http to https
Description
=begin
Currently open-uri does not allow redirects from http to https. http://redmine.ruby-lang.org/repositories/revision/1?rev=21381 reverts the ability to redirect between http and https with a note that this may compromise security, but as far as I can tell this is only true for https -> http redirects. Redirecting from http -> https should not pose such security problems and could still be allowed. This can be accomplished by allowing https for the destination URL, but not for the source URL:
- def OpenURI.redirectable?(uri1, uri2) # :nodoc:
- # This test is intended to forbid a redirection from http://... to
- # file:///etc/passwd.
- # However this is ad hoc. It should be extensible/configurable.
- uri1.scheme.downcase == uri2.scheme.downcase ||
- (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:https?|ftp)\z/i =~ uri2.scheme)
- end
I'm seeing this issue with ruby 1.8.7 but the code for ruby 1.9.2 is the same.
=end
History
#1
Updated by Shyouhei Urabe about 6 years ago
Updated by - Status changed from Open to Assigned
- Assignee set to Akira Tanaka
=begin
=end
#2
[ruby-core:35877]
Updated by Joseph Holsten over 5 years ago
Updated by =begin
I'm still seeing this issue. I like the way this patch works, allowing redirection from http to https but not the other way.
What needs to happen for this to be applied?
=end
#3
[ruby-core:49142]
Updated by Yusuke Endoh almost 4 years ago
Updated by - Description updated (diff)
- Target version set to next minor
#4
[ruby-core:53994]
Updated by Akira Tanaka over 3 years ago
Updated by - Parent task set to #859
#5
Updated by Gaurish Sharma over 1 year ago
Updated by I am wondering, What's the status of this? if help is required to push this forward. I am willing to help