Issue #15893 has been updated by jeremyevans0 (Jeremy Evans).

Assignee set to akr (Akira Tanaka)
Status changed from Open to Assigned
File deprecate-open-uri-kernel-open.patch added

While the conversion from `open` or `Kernel.open` to `URI.open` is simple, this is likely to break a lot of existing Ruby code.  However, I can see the security advantages of deprecating this, as having `open` implicitly open URIs is a security footgun.  For that reason, I am in favor of the deprecation and eventual removal.

akr is the maintainer of `open-uri`, so I'm assigning this to him. In case he decides to deprecate this, attached is a patch for the deprecation.  It makes `Kernel.open` call `URI.open` in cases where `URI.open` would handle it, warning in that case.  To avoid warning when calling `Kernel.open` with a `Pathname` instance, it does not delegate to `URI.open` if the object responds to `to_path`.

----------------------------------------
Misc #15893: open-uri: URI.open status
https://bugs.ruby-lang.org/issues/15893#change-78301

* Author: zverok (Victor Shepelev)
* Status: Assigned
* Priority: Normal
* Assignee: akr (Akira Tanaka)
----------------------------------------
On the one hand, Ruby 2.5's NEWS [stated](https://github.com/ruby/ruby/commit/bf287424fd00c0304c836525bb52d89fc1f4a84a#diff-ff4e2dc4962dc25a1512353299992c8dR298):

> URI.open method defined as an alias to open-uri's Kernel.open. open-uri's Kernel.open will be deprecated in future.

I believe there were good reasons for that decision.

On the other hand,
* no movements in this direction were done since 2.5
* `URI.open` [is excluded](https://github.com/ruby/ruby/blob/trunk/lib/open-uri.rb#L43) from `open-uri`'s docs, and the main library's [documentation](https://ruby-doc.org/stdlib-2.5.0/libdoc/open-uri/rdoc/OpenURI.html) doesn't mention this option as preferred or even existing.

I'd like to know what the real status of this library and its migration to (safer) `URI.open`?
Should a patch be provided to change the library's docs accordingly?
Maybe even change the code (still leaving `Kernel.open` option, but just as an alias, moving the implementation away from that method)?

---Files--------------------------------
deprecate-open-uri-kernel-open.patch (21.3 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>