From b74c9a6d66b2e77e431b85437e5126aeadc14032 Mon Sep 17 00:00:00 2001
From: akr <akr@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Sun, 28 Oct 2007 12:55:51 +0000
Subject: * lib/open-uri.rb: :redirect option implemented to disable redirects.
   (OpenURI::HTTPRedirect): new exception class for redirection.

git-svn-id: http://svn.ruby-lang.org/repos/ruby/trunk@13788 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog       |  5 +++++
 lib/open-uri.rb | 24 ++++++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index e3b881009..61742f4f1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Sun Oct 28 21:50:02 2007  Tanaka Akira  <akr@fsij.org>
+
+	* lib/open-uri.rb: :redirect option implemented to disable redirects.
+	  (OpenURI::HTTPRedirect): new exception class for redirection.
+
 Fri Oct 26 17:38:13 2007  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* numeric.c (int_chr): take an optional encoding parameter.
diff --git a/lib/open-uri.rb b/lib/open-uri.rb
index a55a1b1ac..441134433 100644
--- a/lib/open-uri.rb
+++ b/lib/open-uri.rb
@@ -99,6 +99,7 @@ module OpenURI
     :ssl_ca_cert => nil,
     :ssl_verify_mode => nil,
     :ftp_active_mode => false,
+    :redirect => true,
   }
 
   def OpenURI.check_options(options) # :nodoc:
@@ -199,6 +200,9 @@ module OpenURI
           # URI.  It is converted to absolute URI using uri as a base URI.
           redirect = uri + redirect
         end
+        if !options.fetch(:redirect, true)
+          raise HTTPRedirect.new(buf.io.status.join(' '), buf.io, redirect)
+        end
         unless OpenURI.redirectable?(uri, redirect)
           raise "redirection forbidden: #{uri} -> #{redirect}"
         end
@@ -222,6 +226,9 @@ module OpenURI
   def OpenURI.redirectable?(uri1, uri2) # :nodoc:
     # This test is intended to forbid a redirection from http://... to
     # file:///etc/passwd.
+    # https to http redirect is also forbidden intentionally.
+    # It avoids sending secure cookie or referer by non-secure HTTP protocol.
+    # (RFC 2109 4.3.1, RFC 2965 3.3, RFC 2616 15.1.3)
     # However this is ad hoc.  It should be extensible/configurable.
     uri1.scheme.downcase == uri2.scheme.downcase ||
     (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:http|ftp)\z/i =~ uri2.scheme)
@@ -334,6 +341,14 @@ module OpenURI
     attr_reader :io
   end
 
+  class HTTPRedirect < HTTPError
+    def initialize(message, io, uri)
+      super(message, io)
+      @uri = uri
+    end
+    attr_reader :uri
+  end
+
   class Buffer # :nodoc:
     def initialize
       @io = StringIO.new
@@ -606,6 +621,15 @@ module OpenURI
     # Note that the active mode is default in Ruby 1.8 or prior.
     # Ruby 1.9 uses passive mode by default.
     #
+    # [:redirect]
+    #  Synopsis:
+    #    :redirect=>bool
+    #
+    # :redirect=>false is used to disable HTTP redirects at all.
+    # OpenURI::HTTPRedirect exception raised on redirection.
+    # It is true by default.
+    # The true means redirectoins between http and ftp is permitted.
+    #
     def open(*rest, &block)
       OpenURI.open_uri(self, *rest, &block)
     end
-- 
cgit