diff options
Diffstat (limited to 'lib/open-uri.rb')
-rw-r--r-- | lib/open-uri.rb | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/lib/open-uri.rb b/lib/open-uri.rb index a55a1b1acf..4411344339 100644 --- a/lib/open-uri.rb +++ b/lib/open-uri.rb @@ -99,6 +99,7 @@ module OpenURI :ssl_ca_cert => nil, :ssl_verify_mode => nil, :ftp_active_mode => false, + :redirect => true, } def OpenURI.check_options(options) # :nodoc: @@ -199,6 +200,9 @@ module OpenURI # URI. It is converted to absolute URI using uri as a base URI. redirect = uri + redirect end + if !options.fetch(:redirect, true) + raise HTTPRedirect.new(buf.io.status.join(' '), buf.io, redirect) + end unless OpenURI.redirectable?(uri, redirect) raise "redirection forbidden: #{uri} -> #{redirect}" end @@ -222,6 +226,9 @@ module OpenURI def OpenURI.redirectable?(uri1, uri2) # :nodoc: # This test is intended to forbid a redirection from http://... to # file:///etc/passwd. + # https to http redirect is also forbidden intentionally. + # It avoids sending secure cookie or referer by non-secure HTTP protocol. + # (RFC 2109 4.3.1, RFC 2965 3.3, RFC 2616 15.1.3) # However this is ad hoc. It should be extensible/configurable. uri1.scheme.downcase == uri2.scheme.downcase || (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:http|ftp)\z/i =~ uri2.scheme) @@ -334,6 +341,14 @@ module OpenURI attr_reader :io end + class HTTPRedirect < HTTPError + def initialize(message, io, uri) + super(message, io) + @uri = uri + end + attr_reader :uri + end + class Buffer # :nodoc: def initialize @io = StringIO.new @@ -606,6 +621,15 @@ module OpenURI # Note that the active mode is default in Ruby 1.8 or prior. # Ruby 1.9 uses passive mode by default. # + # [:redirect] + # Synopsis: + # :redirect=>bool + # + # :redirect=>false is used to disable HTTP redirects at all. + # OpenURI::HTTPRedirect exception raised on redirection. + # It is true by default. + # The true means redirectoins between http and ftp is permitted. + # def open(*rest, &block) OpenURI.open_uri(self, *rest, &block) end |