module OpenURI

Public Class Methods

default_redirectable?(uri1, uri2) click to toggle source

The is a bug in Ruby’s implementation of OpenURI that prevents redirects from HTTP -> HTTPS. That should totally be a valid redirect, so we override that method here and call it a day.

Note: this does NOT permit HTTPS -> HTTP redirects, as that would be a major security hole in the fabric of space-time!

# File lib/omnibus/core_extensions/open_uri.rb, line 13
def default_redirectable?(uri1, uri2)
  a, b = uri1.scheme.downcase, uri2.scheme.downcase

  a == b || (a == "http" && b == "https")
end
Also aliased as: redirectable?, redirectable?
open_uri(name, *rest, &block) click to toggle source
# File lib/omnibus/core_extensions/open_uri.rb, line 42
def open_uri(name, *rest, &block)
  options = rest.find { |arg| arg.is_a?(Hash) } || {}

  if options.delete(:allow_unsafe_redirects)
    class << self
      alias_method :redirectable?, :unsafe_redirectable?
    end
  end

  original_open_uri(name, *rest, &block)
ensure
  class << self
    alias_method :redirectable?, :default_redirectable?
  end
end
Also aliased as: original_open_uri
original_open_uri(name, *rest, &block)

Override the default open_uri method to search for our custom option to permit unsafe redirects.

@example

open('http://example.com', allow_unsafe_redirects: true)
Alias for: open_uri
redirectable?(uri1, uri2)
unsafe_redirectable?(uri1, uri2) click to toggle source

Permit all redirects.

Note: this DOES permit HTTP -> HTTP redirects, and that is a major security hole!

@return [true]

# File lib/omnibus/core_extensions/open_uri.rb, line 28
def unsafe_redirectable?(uri1, uri2)
  a, b = uri1.scheme.downcase, uri2.scheme.downcase

  a == b || (a == "http" && b == "https") || (a == "https" && b == "http")
end
Also aliased as: redirectable?