Feature #859

open-uri doesn't allow redirection to https

Added by Roman Shterenzon almost 7 years ago. Updated 11 months ago.

Assignee:Akira Tanaka


Only ftp and http are checked in regex in OpenURI.redirectable? method.
Please see the attached patch.

open-uri.rb.patch Magnifier (547 Bytes) Roman Shterenzon, 12/12/2008 03:16 AM


Feature #3719: open-uri should allow redirects from http to httpsAssignedAkira Tanaka

Bug #5950: open-uri: https redirect fix AssignedAkira Tanaka


#1 Updated by Shyouhei Urabe over 6 years ago

  • Assignee set to Akira Tanaka



#2 Updated by Akira Tanaka over 6 years ago

  • ruby -v set to -



#3 Updated by Roman Shterenzon over 6 years ago

Originally reported on:
ruby 1.8.7 (2008-08-11 patchlevel 72) [i686-linux]

#4 Updated by Roman Shterenzon over 6 years ago

I quote from :

But first of all the HTTP --> HTTPS redirection should be still considered ok.

Regarding the other way, well, the Referer should be set to the URL that redirected us. I believe this is not currently implemented. As for cookies, AFAIK there's no direct support for cookies in Net::HTTP nor open-uri, so if the programmer wants to use cookies, she has to set it manually via a "Cookie" header. And since no support for cookies as per RFC2109 is in place, no security measures are implemented. So for example one URL can redirect to other (also HTTP) URL, which is in another domain, and the cookie (actually header) will be sent anyway. So the fact that the "secure" attribute of cookie is unsupported diminishes in light of this. Therefor I think that redirecting from HTTPS to HTTP should be considered ok too.

#5 Updated by Nobuyoshi Nakada about 6 years ago


At Tue, 3 Feb 2009 17:53:36 +0900,
Roman Shterenzon wrote in :

I quote from :

But first of all the HTTP --> HTTPS redirection should be still considered ok.

Then your previous patch is wrong.

Index: lib/open-uri.rb
--- lib/open-uri.rb (revision 24735)
+++ lib/open-uri.rb (working copy)
@@ -241,5 +241,5 @@ module OpenURI
# However this is ad hoc. It should be extensible/configurable.
uri1.scheme.downcase == uri2.scheme.downcase ||
- (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:http|ftp)\z/i =~ uri2.scheme)
+ (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:https?|ftp)\z/i =~ uri2.scheme)

Nobu Nakada


#6 Updated by Shyouhei Urabe about 6 years ago

  • Status changed from Open to Closed



#7 Updated by Xavier Shay over 4 years ago

Why was this closed? This bug is still present in trunk. A patch was reverted in r21381, but it was not the patch that Nobuyoshi has proposed, and there was no indication as to why it was reverted (my guess is because it allowed https -> http redirection).

#8 Updated by Yui NARUSE over 4 years ago

  • Status changed from Closed to Assigned
  • Priority changed from 3 to Normal

#9 Updated by Hiroshi Nakamura over 4 years ago

  • Target version set to 1.9.3

Tanaka-san, please handle this.

#10 Updated by Hiroshi Nakamura about 4 years ago

Akr, I think we agreed that http -> https redirection is OK. If you don't like ad-hoc change for 1.9.3, I can do that uglish thing instead of you. :) Do you mind if I'd do that?

#11 Updated by Akira Tanaka about 4 years ago

  • Target version changed from 1.9.3 to 2.0.0

I'd like generic solution. Especially because open-uri doesn't provide a way to specify headers for each request for redirection.

#13 Updated by Yusuke Endoh almost 3 years ago

  • Tracker changed from Bug to Feature

#14 Updated by Yusuke Endoh almost 3 years ago

  • Target version changed from 2.0.0 to next minor

#15 Updated by Yui NARUSE 11 months ago

FYI, HTML5 defines whether it should redirect or not:

Also available in: Atom PDF