Hi.
Ruby’s openuri library has code to specifically drop authentication
options after being redirected by the server:
/trunk/lib/open-uri.rb@14609, line 212:
if options.include? :http_basic_authentication
# send authentication only for the URI directly specified.
options = options.dup
options.delete :http_basic_authentication
end
I understand the security issues the code above addresses, but should it
be so stringent?
An authenticated SVN server which is running over HTTP, for example,
will redirect pages like http://www.example.org/svn/project1 to
http://www.example.org/svn/project1/, with a trailing slash for
directories. If one tries to open the former URI with open-uri, passing
a correct :http_basic_authentication, it raises a 401 exception – i.e.
it looks like the wrong credentials were supplied. Opening the later URI
works, though.
Is there any possibility of a security breach in the case above? IMO,
the supplied credentials should be tried as long as the domain doesn’t
change between redirects. If not so, at least open-uri could accept an
additional parameter controlling its behavior.
What do you think? Should I report a bug?
Thanks in advance.
Romulo A. Ceccon