Hi.

Ruby's openuri library has code to specifically drop authentication
options after being redirected by the server:

  /trunk/lib/open-uri.rb@14609, line 212:

    if options.include? :http_basic_authentication
      # send authentication only for the URI directly specified.
      options = options.dup
      options.delete :http_basic_authentication
    end

I understand the security issues the code above addresses, but should it
be so stringent?

An authenticated SVN server which is running over HTTP, for example,
will redirect pages like http://www.example.org/svn/project1 to
http://www.example.org/svn/project1/, with a trailing slash for
directories. If one tries to open the former URI with open-uri, passing
a correct :http_basic_authentication, it raises a 401 exception -- i.e.
it looks like the wrong credentials were supplied. Opening the later URI
works, though.

Is there any possibility of a security breach in the case above? IMO,
the supplied credentials should be tried as long as the domain doesn't
change between redirects. If not so, at least open-uri could accept an
additional parameter controlling its behavior.

What do you think? Should I report a bug?

Thanks in advance.
Romulo A. Ceccon
-- 
Posted via http://www.ruby-forum.com/.