Infinite Redirects http -> https

Question

Infinite Redirects http -> https

Closed this issue 8 years ago · 3 comments

I ran into an interesting situation trying to authorize with a server that had http redirected to https and the url given had a path in it.

Given a url to connect to like:
http://mysite.com/my/path/here

When we request a token, the following path is tried:
http://mysite.com/my/path/here/oauth/request_token

The server responds with a redirect and location of:
https://mysite.com/my/path/here/oauth/request_token

The part of the library that addresses the redirect is here:
https://github.com/oauth-xx/oauth-ruby/blob/master/lib/oauth/consumer.rb#L232

The path pulled from the location header is:
/my/path/here/oauth/request_token

and is checked against the original to detect infinite redirects, but the original is:
/oauth/request_token

So the new path is passed on to token_request. When the request is made we build a url from the path and the site here:
https://github.com/oauth-xx/oauth-ruby/blob/master/lib/oauth/consumer.rb#L360

Since the new path to try includes the path that is also on the site we get a url like:
http://mysite.com/my/path/here/my/path/here/oauth/request_token

Since the protocol is still http the remote server responds with a redirect again and again. This grows the path and continues as long as the client or remote server will allow.

The two points of pain I am having are:

The protocol changed in the redirect. Should we accept the protocol change, raise an exception, or some other behavior to stop the infinite redirects?
When building a new path from the redirect, how or should we account for there being a path on the site that is also in the redirect?

Wondering if you feel this is an issue that could/should be handled by this library. If so I would like to help.

Answer 1 · 2017-03-01T07:59:13.000Z

if the protocol changes in the redirect upwards (http -> https) we should just accept it, if it's the other way around (https -> http) - that's an error and we should raise
if the protocol changes we should not sum up the paths, it's a new address

If you have time to help with this I would be grateful (I just had to shift my time again to personal issues yesterday) - but I would be delighted to review and release new version.

Answer 2 · 2017-03-18T20:20:07.000Z

@mpapis Sorry I have not responded. I hope to put up a PR this weekend.

Answer 3 · 2017-04-18T06:11:59.000Z

Should I close this because of #139 and #140 ?