Changeset 259

Timestamp:

01/08/09 21:49:04 (2 years ago)

Author:

nahi

Message:

• Security fix introduced at 2.1.3.
  
  • get_content/post_content of httpclient/2.1.3 may send secure cookies
    for a https site to non-secure (non-https) site when the https site
    redirects the request to a non-https site. httpclient/2.1.3 caches
    request object and reuses it for redirection. It should not be cached
    and recreated for each time as httpclient <= 2.1.2 and http-access2.
    
  • I realized this bug when I was reading open-uri story on
    [ruby-core:21205]. Ruby users should use open-uri rather than using
    net/http directly wherever possible.
    

Files:

• trunk/README.txt (modified) (3 diffs)
• trunk/httpclient.gemspec (modified) (1 diff)
• trunk/lib/httpclient.rb (modified) (13 diffs)
• trunk/lib/httpclient/auth.rb (modified) (1 diff)
• trunk/lib/httpclient/connection.rb (modified) (1 diff)
• trunk/lib/httpclient/http.rb (modified) (1 diff)
• trunk/lib/httpclient/session.rb (modified) (1 diff)
• trunk/lib/httpclient/ssl_config.rb (modified) (1 diff)
• trunk/lib/httpclient/timeout.rb (modified) (1 diff)
• trunk/lib/httpclient/util.rb (modified) (1 diff)
• trunk/test/test_httpclient.rb (modified) (1 diff)

trunk/README.txt

@@ -1 +1 @@
-httpclient - HTTP accessing library.
-8
+9
-
-'httpclient' gives something like the functionality of libwww-perl (LWP) in
@@ -69 +69 @@
-
-
+== Download
+
+* Stable: http://dev.ctor.org/download/httpclient-2.1.3.1.tar.gz (tar + gzip)
+* Stable: http://dev.ctor.org/download/httpclient-2.1.3.1.zip (ZIP) 
+
+* Older versions: http://dev.ctor.org/download/archive/ 
+
+* Gem repository for stable version
+  * (at default remove source at rubyforge.org) 
+* Gem repository for development version
+  * http://dev.ctor.org/download/ 
+
+* svn: http://dev.ctor.org/svn/http-access2/trunk/ 
+
+=== Gem
+
+You can install httpclient with rubygems.
+
+  % gem install httpclient --source http://dev.ctor.org/download/
+
+
-== Bug report or Feature request
-
@@ -81 +102 @@
-
-== Changes
+
+  Jan 8, 2009 - version 2.1.3.1
+
+    * Security fix introduced at 2.1.3.
+      * get_content/post_content of httpclient/2.1.3 may send secure cookies
+        for a https site to non-secure (non-https) site when the https site
+        redirects the request to a non-https site.  httpclient/2.1.3 caches
+        request object and reuses it for redirection.  It should not be cached
+        and recreated for each time as httpclient <= 2.1.2 and http-access2.
+      * I realized this bug when I was reading open-uri story on
+        [ruby-core:21205].  Ruby users should use open-uri rather than using
+        net/http directly wherever possible.
-
-  Dec 29, 2008 - version 2.1.3

trunk/httpclient.gemspec

@@ -2 +2 @@
-SPEC = Gem::Specification.new do |s|
-  s.name = "httpclient"
-2
-7-09-22
+3.1
+9-01-08
-  s.author = "NAKAMURA, Hiroshi"
-  s.email = "nahi@ruby-lang.org"

trunk/lib/httpclient.rb

@@ -1 +1 @@
-# HTTPClient - HTTP client library.
-8
+9
-#
-# This program is copyrighted free software by NAKAMURA, Hiroshi.  You can
@@ -200 +200 @@
-#
-class HTTPClient
-
+.1
-  RUBY_VERSION_STRING = "ruby #{RUBY_VERSION} (#{RUBY_RELEASE_DATE}) [#{RUBY_PLATFORM}]"
-  /: (\S+) (\S+)/ =~ %q$Id$
@@ -512 +512 @@
-  # follow HTTP redirect by yourself if you need.
-  def get_content(uri, query = nil, extheader = {}, &block)
-
-
-
+
-  end
-
@@ -540 +538 @@
-  # use post method.
-  def post_content(uri, body = nil, extheader = {}, &block)
-
-
-
+
-  end
-
@@ -552 +548 @@
-  def strict_redirect_uri_callback(uri, res)
-    newuri = URI.parse(res.header['location'][0])
+    if https?(uri) && !https?(newuri)
+      raise BadResponseError.new("redirecting to non-https resource")
+    end
-    unless newuri.is_a?(URI::HTTP)
-      raise BadResponseError.new("unexpected location: #{newuri}", res)
@@ -566 +565 @@
-  def default_redirect_uri_callback(uri, res)
-    newuri = URI.parse(res.header['location'][0])
+    if https?(uri) && !https?(newuri)
+      raise BadResponseError.new("redirecting to non-https resource")
+    end
-    unless newuri.is_a?(URI::HTTP)
-      newuri = uri + newuri
@@ -653 +655 @@
-    uri = urify(uri)
-    proxy = no_proxy?(uri) ? nil : @proxy
-.to_s.upcase
+
-    if block
-      filtered_block = proc { |res, str|
@@ -723 +725 @@
-    uri = urify(uri)
-    proxy = no_proxy?(uri) ? nil : @proxy
-.to_s.upcase
+
-    do_request_async(req, proxy)
-  end
@@ -803 +805 @@
-  end
-
-req
-retry_number = 0
+method, uri, query, body, extheader
+uri = urify(uri)
-    if block
-      filtered_block = proc { |r, str|
@@ -810 +812 @@
-      }
-    end
+    if HTTP::Message.file?(body)
+      pos = body.pos rescue nil
+    end
+    retry_number = 0
-    while retry_number < @follow_redirect_count
+      body.pos = pos if pos
+      req = create_request(method, uri, query, body, extheader)
-      proxy = no_proxy?(req.header.request_uri) ? nil : @proxy
-      res = do_request(req, proxy, &filtered_block)
@@ -817 +825 @@
-      elsif HTTP::Status.redirect?(res.status)
-        uri = urify(@redirect_uri_callback.call(req.header.request_uri, res))
-        req.header.request_uri = uri
-        retry_number += 1
-      else
@@ -835 +842 @@
-
-  def create_request(method, uri, query, body, extheader)
+    method = method.to_s.upcase
-    if extheader.is_a?(Hash)
-      extheader = extheader.to_a
@@ -914 +922 @@
-  end
-
+  def https?(uri)
+    uri.scheme.downcase == 'https'
+  end
+
-  # !! CAUTION !!
-  #   Method 'do_get*' runs under MT conditon. Be careful to change.

trunk/lib/httpclient/auth.rb

@@ -1 +1 @@
-# HTTPClient - HTTP client library.
-8
+9
-#
-# This program is copyrighted free software by NAKAMURA, Hiroshi.  You can

trunk/lib/httpclient/connection.rb

@@ -1 +1 @@
-# HTTPClient - HTTP client library.
-8
+9
-#
-# This program is copyrighted free software by NAKAMURA, Hiroshi.  You can

trunk/lib/httpclient/http.rb

@@ -1 +1 @@
-# HTTPClient - HTTP client library.
-8
+9
-#
-# This program is copyrighted free software by NAKAMURA, Hiroshi.  You can

trunk/lib/httpclient/session.rb

@@ -1 +1 @@
-# HTTPClient - HTTP client library.
-8
+9
-#
-# This program is copyrighted free software by NAKAMURA, Hiroshi.  You can

trunk/lib/httpclient/ssl_config.rb

@@ -1 +1 @@
-# HTTPClient - HTTP client library.
-8
+9
-#
-# This program is copyrighted free software by NAKAMURA, Hiroshi.  You can

trunk/lib/httpclient/timeout.rb

@@ -1 +1 @@
-# HTTPClient - HTTP client library.
-8
+9
-#
-# This program is copyrighted free software by NAKAMURA, Hiroshi.  You can

trunk/lib/httpclient/util.rb

@@ -1 +1 @@
-# HTTPClient - HTTP client library.
-8
+9
-#
-# This program is copyrighted free software by NAKAMURA, Hiroshi.  You can

trunk/test/test_httpclient.rb

@@ -305 +305 @@
-    @client.test_loopback_http_response << "HTTP/1.0 200 OK\nXXXXX\ncontent-length: 100\n\nmessage body 1"
-    assert_equal('message body 1', @client.get_content('http://somewhere'))
+  end
+
+  def test_redirect_non_https
+    url = @url + 'redirect1'
+    https_url = URI.parse(url)
+    https_url.scheme = 'https'
+    #
+    redirect_to_http = "HTTP/1.0 302 OK\nLocation: #{url}\n\n"
+    redirect_to_https = "HTTP/1.0 302 OK\nLocation: #{https_url}\n\n"
+    #
+    # https -> http is denied
+    @client.test_loopback_http_response << redirect_to_http
+    assert_raises(HTTPClient::BadResponseError) do
+      @client.get_content(https_url)
+    end
+    #
+    # http -> http is OK
+    @client.reset_all
+    @client.test_loopback_http_response << redirect_to_http
+    assert_equal('hello', @client.get_content(url))
+    #
+    # http -> https is OK
+    @client.reset_all
+    @client.test_loopback_http_response << redirect_to_https
+    assert_raises(OpenSSL::SSL::SSLError) do
+      # trying to normal endpoint with SSL -> SSL negotiation failure
+      @client.get_content(url)
+    end
+    #
+    # https -> https is OK
+    @client.reset_all
+    @client.test_loopback_http_response << redirect_to_https
+    assert_raises(OpenSSL::SSL::SSLError) do
+      # trying to normal endpoint with SSL -> SSL negotiation failure
+      @client.get_content(https_url)
+    end
-  end
-