https://bugs.ruby-lang.org/https://bugs.ruby-lang.org/favicon.ico?17113305112009-02-03T10:57:29ZRuby Issue Tracking SystemRuby master - Feature #859: open-uri doesn't allow redirection to httpshttps://bugs.ruby-lang.org/issues/859?journal_id=29602009-02-03T10:57:29Zshyouhei (Shyouhei Urabe)shyouhei@ruby-lang.org
<ul><li><strong>Assignee</strong> set to <i>akr (Akira Tanaka)</i></li></ul><p>=begin</p>
<p>=end</p> Ruby master - Feature #859: open-uri doesn't allow redirection to httpshttps://bugs.ruby-lang.org/issues/859?journal_id=29632009-02-03T10:58:17Zakr (Akira Tanaka)akr@fsij.org
<ul><li><strong>ruby -v</strong> set to <i>-</i></li></ul><p>=begin<br>
<a href="https://blade.ruby-lang.org/ruby-core/21203">[ruby-core:21203]</a><br>
=end</p> Ruby master - Feature #859: open-uri doesn't allow redirection to httpshttps://bugs.ruby-lang.org/issues/859?journal_id=30402009-02-03T17:50:36Zromanbsd (Roman Shterenzon)
<ul></ul><p>=begin<br>
Originally reported on:<br>
ruby 1.8.7 (2008-08-11 patchlevel 72) [i686-linux]<br>
=end</p> Ruby master - Feature #859: open-uri doesn't allow redirection to httpshttps://bugs.ruby-lang.org/issues/859?journal_id=30422009-02-03T17:53:58Zromanbsd (Roman Shterenzon)
<ul></ul><p>=begin<br>
I quote from <a href="https://blade.ruby-lang.org/ruby-core/21234">[ruby-core:21234]</a> :</p>
<p>But first of all the HTTP --> HTTPS redirection should be still considered ok.</p>
<p>Regarding the other way, well, the Referer should be set to the URL that redirected us. I believe this is not currently implemented. As for cookies, AFAIK there's no direct support for cookies in Net::HTTP nor open-uri, so if the programmer wants to use cookies, she has to set it manually via a "Cookie" header. And since no support for cookies as per RFC2109 is in place, no security measures are implemented. So for example one URL can redirect to other (also HTTP) URL, which is in another domain, and the cookie (actually header) will be sent anyway. So the fact that the "secure" attribute of cookie is unsupported diminishes in light of this. Therefor I think that redirecting from HTTPS to HTTP should be considered ok too.<br>
=end</p> Ruby master - Feature #859: open-uri doesn't allow redirection to httpshttps://bugs.ruby-lang.org/issues/859?journal_id=55042009-09-02T11:48:06Znobu (Nobuyoshi Nakada)nobu@ruby-lang.org
<ul></ul><p>=begin<br>
Hi,</p>
<p>At Tue, 3 Feb 2009 17:53:36 +0900,<br>
Roman Shterenzon wrote in <a href="https://blade.ruby-lang.org/ruby-core/21797">[ruby-core:21797]</a>:</p>
<blockquote>
<p>I quote from <a href="https://blade.ruby-lang.org/ruby-core/21234">[ruby-core:21234]</a> :</p>
<p>But first of all the HTTP --> HTTPS redirection should be still considered ok.</p>
</blockquote>
<p>Then your previous patch is wrong.</p>
<h1>
<br>
Index: lib/open-uri.rb</h1>
<p>--- lib/open-uri.rb (revision 24735)<br>
+++ lib/open-uri.rb (working copy)<br>
@@ -241,5 +241,5 @@ module OpenURI<br>
# However this is ad hoc. It should be extensible/configurable.<br>
uri1.scheme.downcase == uri2.scheme.downcase ||</p>
<ul>
<li>(/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:http|ftp)\z/i =~ uri2.scheme)</li>
</ul>
<ul>
<li>(/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:https?|ftp)\z/i =~ uri2.scheme)<br>
end</li>
</ul>
<p></p>
<p>--<br>
Nobu Nakada</p>
<p>=end</p> Ruby master - Feature #859: open-uri doesn't allow redirection to httpshttps://bugs.ruby-lang.org/issues/859?journal_id=55782009-09-04T08:01:34Zshyouhei (Shyouhei Urabe)shyouhei@ruby-lang.org
<ul><li><strong>Status</strong> changed from <i>Open</i> to <i>Closed</i></li></ul><p>=begin</p>
<p>=end</p> Ruby master - Feature #859: open-uri doesn't allow redirection to httpshttps://bugs.ruby-lang.org/issues/859?journal_id=170532011-05-18T14:41:39Zxaviershay (Xavier Shay)xavier-list@rhnh.net
<ul></ul><p>Why was this closed? This bug is still present in trunk. A patch was reverted in r21381, but it was not the patch that Nobuyoshi has proposed, and there was no indication as to why it was reverted (my guess is because it allowed https -> http redirection).</p> Ruby master - Feature #859: open-uri doesn't allow redirection to httpshttps://bugs.ruby-lang.org/issues/859?journal_id=170542011-05-18T14:51:26Znaruse (Yui NARUSE)naruse@airemix.jp
<ul><li><strong>Status</strong> changed from <i>Closed</i> to <i>Assigned</i></li><li><strong>Priority</strong> changed from <i>3</i> to <i>Normal</i></li></ul> Ruby master - Feature #859: open-uri doesn't allow redirection to httpshttps://bugs.ruby-lang.org/issues/859?journal_id=183582011-06-26T16:37:01Znahi (Hiroshi Nakamura)nakahiro@gmail.com
<ul><li><strong>Target version</strong> set to <i>1.9.3</i></li></ul><p>Tanaka-san, please handle this.</p> Ruby master - Feature #859: open-uri doesn't allow redirection to httpshttps://bugs.ruby-lang.org/issues/859?journal_id=198102011-07-28T23:21:58Znahi (Hiroshi Nakamura)nakahiro@gmail.com
<ul></ul><p>Akr, I think we agreed that http -> https redirection is OK. If you don't like ad-hoc change for 1.9.3, I can do that uglish thing instead of you. :) Do you mind if I'd do that?</p> Ruby master - Feature #859: open-uri doesn't allow redirection to httpshttps://bugs.ruby-lang.org/issues/859?journal_id=199252011-08-01T22:18:40Zakr (Akira Tanaka)akr@fsij.org
<ul><li><strong>Target version</strong> changed from <i>1.9.3</i> to <i>2.0.0</i></li></ul><p>I'd like generic solution. Especially because open-uri doesn't provide a way to specify headers for each request for redirection.</p> Ruby master - Feature #859: open-uri doesn't allow redirection to httpshttps://bugs.ruby-lang.org/issues/859?journal_id=343732012-12-04T01:28:05Zjaimeiniesta (Jaime Iniesta)jaimeiniesta@gmail.com
<ul></ul><p>I've packed this patch as a gem:</p>
<p><a href="https://github.com/jaimeiniesta/open_uri_redirections" class="external">https://github.com/jaimeiniesta/open_uri_redirections</a></p> Ruby master - Feature #859: open-uri doesn't allow redirection to httpshttps://bugs.ruby-lang.org/issues/859?journal_id=345562012-12-09T21:17:41Zmame (Yusuke Endoh)mame@ruby-lang.org
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Feature</i></li></ul> Ruby master - Feature #859: open-uri doesn't allow redirection to httpshttps://bugs.ruby-lang.org/issues/859?journal_id=345572012-12-09T21:17:48Zmame (Yusuke Endoh)mame@ruby-lang.org
<ul><li><strong>Target version</strong> changed from <i>2.0.0</i> to <i>2.6</i></li></ul> Ruby master - Feature #859: open-uri doesn't allow redirection to httpshttps://bugs.ruby-lang.org/issues/859?journal_id=497512014-10-31T10:00:11Znaruse (Yui NARUSE)naruse@airemix.jp
<ul></ul><p>FYI, HTML5 defines whether it should redirect or not:<br>
<a href="http://www.w3.org/TR/2014/REC-html5-20141028/infrastructure.html#processing-model" class="external">http://www.w3.org/TR/2014/REC-html5-20141028/infrastructure.html#processing-model</a></p> Ruby master - Feature #859: open-uri doesn't allow redirection to httpshttps://bugs.ruby-lang.org/issues/859?journal_id=603082016-08-28T11:51:40Zcabo (Carsten Bormann)cabo@tzi.org
<ul></ul><p>A typical example of the consequences of this 7-year old bug is <a href="https://github.com/cabo/kramdown-rfc2629/issues/27" class="external">https://github.com/cabo/kramdown-rfc2629/issues/27</a></p>
<p>Please wake up and fix this. Now.</p> Ruby master - Feature #859: open-uri doesn't allow redirection to httpshttps://bugs.ruby-lang.org/issues/859?journal_id=603972016-09-07T07:14:35Zakr (Akira Tanaka)akr@fsij.org
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li></ul><p>Applied in changeset r56085.</p>
<hr>
<p>lib/open-uri.rb: Allow http to https redirection.</p>
<ul>
<li>lib/open-uri.rb: Allow http to https redirection.<br>
Note that https to http is still forbidden.<br>
<a href="/issues/859">[ruby-core:20485]</a> [Feature <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: open-uri doesn't allow redirection to https (Closed)" href="https://bugs.ruby-lang.org/issues/859">#859</a>] by Roman Shterenzon.</li>
</ul>