Feature #3719

Updated by mame (Yusuke Endoh) almost 10 years ago

  Currently open-uri does not allow redirects from http to https. reverts the ability to redirect between http and https with a note that this may compromise security, but as far as I can tell this is only true for https -> http redirects. Redirecting from http -> https should not pose such security problems and could still be allowed. This can be accomplished by allowing https for the destination URL, but not for the source URL: 
  +    def OpenURI.redirectable?(uri1, uri2) # :nodoc: 
  +      # This test is intended to forbid a redirection from http://... to 
  +      # file:///etc/passwd. 
  +      # However this is ad hoc.    It should be extensible/configurable. 
  +      uri1.scheme.downcase == uri2.scheme.downcase || 
  +        (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:https?|ftp)\z/i =~ uri2.scheme) 
  +    end 
  I'm seeing this issue with ruby 1.8.7 but the code for ruby 1.9.2 is the same.