OpenUri doesn't retry HTTP credentials after a redirect

Hi.

Ruby’s openuri library has code to specifically drop authentication
options after being redirected by the server:

/trunk/lib/[email protected], line 212:

if options.include? :http_basic_authentication
  # send authentication only for the URI directly specified.
  options = options.dup
  options.delete :http_basic_authentication
end

I understand the security issues the code above addresses, but should it
be so stringent?

An authenticated SVN server which is running over HTTP, for example,
will redirect pages like http://www.example.org/svn/project1 to
http://www.example.org/svn/project1/, with a trailing slash for
directories. If one tries to open the former URI with open-uri, passing
a correct :http_basic_authentication, it raises a 401 exception – i.e.
it looks like the wrong credentials were supplied. Opening the later URI
works, though.

Is there any possibility of a security breach in the case above? IMO,
the supplied credentials should be tried as long as the domain doesn’t
change between redirects. If not so, at least open-uri could accept an
additional parameter controlling its behavior.

What do you think? Should I report a bug?

Thanks in advance.
Romulo A. Ceccon

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs