Module: OpenURI

Defined in:
lib/cocoapods/open-uri.rb

Overview

Allow OpenURI to follow http to https redirects.

Class Method Summary collapse

Class Method Details

.redirectable?(uri1, uri2) ⇒ Boolean

Whether #open should follow a redirect.

Inspiration from: gist.github.com/1271420 Relevant issue: bugs.ruby-lang.org/issues/3719 Source here: github.com/ruby/ruby/blob/trunk/lib/open-uri.rb

This test is intended to forbid a redirection from http://… to file:///etc/passwd, file:///dev/zero, etc. CVE-2011-1521 https to http redirect is also forbidden intentionally. It avoids sending secure cookie or referrer by non-secure HTTP protocol. (RFC 2109 4.3.1, RFC 2965 3.3, RFC 2616 15.1.3) However this is ad hoc. It should be extensible/configurable.

Parameters:

  • uri1 (URI::Generic)

    the origin uri from where the redirect origins

  • uri2 (URI::Generic)

    the target uri where to where the redirect points to

Returns:

  • (Boolean)


29
30
31
32
# File 'lib/cocoapods/open-uri.rb', line 29

def self.redirectable?(uri1, uri2)
  uri1.scheme.downcase == uri2.scheme.downcase ||
    (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:https?|ftp)\z/i =~ uri2.scheme)
end