Ruby, HTTP, and open-uri

April 12th, 2005

Ruby’s obvious HTTP client library is Net::HTTP (‘net/http’), however it feels a little bit awkward to use and lacks nice features like following redirects. If you’re coming from LWP you’ll be disappointed.

However there is a nice wrapper, open-uri that makes it simple to add custom headers, provides loop aware redirect following, etc. And it provides a super slick drop in replacement for the Kernel#open method, so that you can open either a local file, or a remote URL….

Danger Will Robinson! Danger

At this point, alarm bells are going off in the heads’ of the PHP programmers in the audience, who are thinking to themselves,

“Wow, someone went to the trouble of making Ruby act PHP-like! Down to replicating one of the most commonly exploited security holes!”

Sincerest forms of flattery aside, that seems like a really bad idea. Admittedly you have to explicitly require 'open-uri' in order to activate the feature, howev er as the best of the Ruby HTTP clients (I’ve found to date) that seems like a decent bet in many web apps, and once you’ve done that all future calls to open can be hijacked to download remote files.

Now, this being Ruby, there is probably some clever solution involving de-aliasing the open method which makes all these problems go away. Still this seems like an opportunity for the PHP community, with its near infinite experience with having web apps exploited, to teach the Ruby community something. Overloading your core file open semantic to transparently open remote resources is a bad idea, full stop.

Tagged: Uncategorized , , , , ,

4 responses to “Ruby, HTTP, and open-uri”

  1. rabble says:

    You CAN do it:

    require ‘open-uri’, :overwrite_open => false

  2. Dan says:

    Note that open-uri only provides an API for GETs.

  3. Matt says:

    If your application is allowing input from malicious users to be passed unchecked as a parameter to open(), isn’t it pretty much screwed security-wise anyhow, open-uri or not? (There’s plenty of fun an attacker can have with arbitrary access to the local filesystem.)

  4. mixdev says:

    Cool. Also, check httparty library which we use on production http://github.com/jnunemaker/httparty