OpenUri doesn't retry HTTP credentials after a redirect


Ruby’s openuri library has code to specifically drop authentication
options after being redirected by the server:

/trunk/lib/open-uri.rb@14609, line 212:

if options.include? :http_basic_authentication
  # send authentication only for the URI directly specified.
  options = options.dup
  options.delete :http_basic_authentication

I understand the security issues the code above addresses, but should it
be so stringent?

An authenticated SVN server which is running over HTTP, for example,
will redirect pages like to, with a trailing slash for
directories. If one tries to open the former URI with open-uri, passing
a correct :http_basic_authentication, it raises a 401 exception – i.e.
it looks like the wrong credentials were supplied. Opening the later URI
works, though.

Is there any possibility of a security breach in the case above? IMO,
the supplied credentials should be tried as long as the domain doesn’t
change between redirects. If not so, at least open-uri could accept an
additional parameter controlling its behavior.

What do you think? Should I report a bug?

Thanks in advance.
Romulo A. Ceccon