ruby-changes:10597
From: knu <ko1@a...>
Date: Mon, 9 Feb 2009 12:16:03 +0900 (JST)
Subject: [ruby-changes:10597] Ruby:r22154 (ruby_1_8): r22143@crimson: knu | 2009-02-08 22:30:20 +0900
knu 2009-02-09 12:15:54 +0900 (Mon, 09 Feb 2009) New Revision: 22154 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=22154 Log: r22143@crimson: knu | 2009-02-08 22:30:20 +0900 (:redirect) new option to disable redirection. (r13788) (OpenURI::HTTPRedirect): new exception class for redirection. (r13788) Modified directories: branches/ruby_1_8/ Modified files: branches/ruby_1_8/ChangeLog branches/ruby_1_8/lib/open-uri.rb Index: ruby_1_8/ChangeLog =================================================================== --- ruby_1_8/ChangeLog (revision 22153) +++ ruby_1_8/ChangeLog (revision 22154) @@ -11,6 +11,9 @@ (:ftp_active_mode) new option. (r13307) (URI::FTP.buffer_open) turn ftp passive mode on if :ftp_active_mode => false is given. + (:redirect) new option to disable redirection. (r13788) + (OpenURI::HTTPRedirect): new exception class for + redirection. (r13788) Mon Feb 9 01:21:16 2009 Tanaka Akira <akr@f...> Index: ruby_1_8/lib/open-uri.rb =================================================================== --- ruby_1_8/lib/open-uri.rb (revision 22153) +++ ruby_1_8/lib/open-uri.rb (revision 22154) @@ -99,6 +99,7 @@ :ssl_ca_cert => nil, :ssl_verify_mode => nil, :ftp_active_mode => true, + :redirect => true, } def OpenURI.check_options(options) # :nodoc: @@ -199,6 +200,9 @@ # URI. It is converted to absolute URI using uri as a base URI. redirect = uri + redirect end + if !options.fetch(:redirect, true) + raise HTTPRedirect.new(buf.io.status.join(' '), buf.io, redirect) + end unless OpenURI.redirectable?(uri, redirect) raise "redirection forbidden: #{uri} -> #{redirect}" end @@ -222,6 +226,9 @@ def OpenURI.redirectable?(uri1, uri2) # :nodoc: # This test is intended to forbid a redirection from http://... to # file:///etc/passwd. + # https to http redirect is also forbidden intentionally. + # It avoids sending secure cookie or referer by non-secure HTTP protocol. + # (RFC 2109 4.3.1, RFC 2965 3.3, RFC 2616 15.1.3) # However this is ad hoc. It should be extensible/configurable. uri1.scheme.downcase == uri2.scheme.downcase || (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:http|ftp)\z/i =~ uri2.scheme) @@ -334,6 +341,14 @@ attr_reader :io end + class HTTPRedirect < HTTPError + def initialize(message, io, uri) + super(message, io) + @uri = uri + end + attr_reader :uri + end + class Buffer # :nodoc: def initialize @io = StringIO.new @@ -606,6 +621,15 @@ # Note that the active mode is default in Ruby 1.8 or prior. # Ruby 1.9 uses passive mode by default. # + # [:redirect] + # Synopsis: + # :redirect=>bool + # + # :redirect=>false is used to disable HTTP redirects at all. + # OpenURI::HTTPRedirect exception raised on redirection. + # It is true by default. + # The true means redirectoins between http and ftp is permitted. + # def open(*rest, &block) OpenURI.open_uri(self, *rest, &block) end Property changes on: ruby_1_8 ___________________________________________________________________ Name: svk:merge - 050cfa88-b445-4b2e-b226-957b86f2c464:/local/ruby/1.8:22142 b2dd03c8-39d4-4d8f-98ff-823fe69b080e:/trunk:5286 + 050cfa88-b445-4b2e-b226-957b86f2c464:/local/ruby/1.8:22143 b2dd03c8-39d4-4d8f-98ff-823fe69b080e:/trunk:5286 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/