Feature #3719

Feature #859: open-uri doesn't allow redirection to https

open-uri should allow redirects from http to https

Added by Hans de Graaff almost 6 years ago. Updated about 1 year ago.



Currently open-uri does not allow redirects from http to https. reverts the ability to redirect between http and https with a note that this may compromise security, but as far as I can tell this is only true for https -> http redirects. Redirecting from http -> https should not pose such security problems and could still be allowed. This can be accomplished by allowing https for the destination URL, but not for the source URL:

  • def OpenURI.redirectable?(uri1, uri2) # :nodoc:
  • # This test is intended to forbid a redirection from http://... to
  • # file:///etc/passwd.
  • # However this is ad hoc. It should be extensible/configurable.
  • uri1.scheme.downcase == uri2.scheme.downcase ||
  • (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:https?|ftp)\z/i =~ uri2.scheme)
  • end

I'm seeing this issue with ruby 1.8.7 but the code for ruby 1.9.2 is the same.


#1 Updated by Shyouhei Urabe almost 6 years ago

  • Status changed from Open to Assigned
  • Assignee set to Akira Tanaka



#2 [ruby-core:35877] Updated by Joseph Holsten about 5 years ago

I'm still seeing this issue. I like the way this patch works, allowing redirection from http to https but not the other way.

What needs to happen for this to be applied?

#3 [ruby-core:49142] Updated by Yusuke Endoh over 3 years ago

  • Description updated (diff)
  • Target version set to next minor

#4 [ruby-core:53994] Updated by Akira Tanaka about 3 years ago

  • Parent task set to #859

#5 Updated by Gaurish Sharma about 1 year ago

I am wondering, What's the status of this? if help is required to push this forward. I am willing to help

Also available in: Atom PDF