OpenUri doesn't retry HTTP credentials after a redirect

R

Romulo Ceccon

Hi.

Ruby's openuri library has code to specifically drop authentication
options after being redirected by the server:

/trunk/lib/open-uri.rb@14609, line 212:

if options.include? :http_basic_authentication
# send authentication only for the URI directly specified.
options = options.dup
options.delete :http_basic_authentication
end

I understand the security issues the code above addresses, but should it
be so stringent?

An authenticated SVN server which is running over HTTP, for example,
will redirect pages like http://www.example.org/svn/project1 to
http://www.example.org/svn/project1/, with a trailing slash for
directories. If one tries to open the former URI with open-uri, passing
a correct :http_basic_authentication, it raises a 401 exception -- i.e.
it looks like the wrong credentials were supplied. Opening the later URI
works, though.

Is there any possibility of a security breach in the case above? IMO,
the supplied credentials should be tried as long as the domain doesn't
change between redirects. If not so, at least open-uri could accept an
additional parameter controlling its behavior.

What do you think? Should I report a bug?

Thanks in advance.
Romulo A. Ceccon
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top