This list is out of date. At least OpenBSD since 2013 does not
allow one user to read the environment variables of a process
run by another user.
While we could try to keep the list updated, I think it's a bad
idea to not use the user/password from the environment, even if
another user on the system could read it. If http_proxy exists
in the environment, and other users can read it, it doesn't
make it more secure for Ruby to ignore it. You could argue that
it encourages poor security practices, but net/http should provide
mechanism, not policy.
Fixes [Bug #18908]
1e4585153d
The ignore_eof setting on HTTPResponse makes it so an EOFError is
raised when reading bodies with a defined Content-Length, if the
body read was truncated due to the socket be closed.
The ignore_eof setting on HTTP sets the values used in responses
that are created by the object.
For backwards compatibility, the default is for both settings is
true. However, unless you are specifically tested for and handling
truncated responses, it's a good idea to set ignore_eof to false so
that errors are raised for truncated responses, instead of those
errors silently being ignored.
Fixes [Bug #14972]
4d47e34995
This allows for the ability to opt-in to a method to set the
encoding of response bodies. By setting the accessor to a String
or Encoding instance, it will use the specified encoding.
Setting the value of true will try to detect the encoding of the
response body, either using the Content-Type header (assuming it
specifies charset) or by scanning for a <meta> tag in the document
that specifies the encoding. The default is false in which case
no forcing of encoding will be done (same as before the patch).
Implements [Feature #2567]
Implements [Feature #15517]
6233e6b7c1
Co-authored-by: Yui Naruse <naruse@ruby-lang.org>
RFC 6066, section 3, explicitly disallows the use of an IP address
as an SNI server name. So check if the connection is being made
to an IP address using the resolv regexps, and do not set an SNI
hostname in that case.
Recent changes to LibreSSL make it more strictly follow RFC 6066,
resulting an s.hostname= raising an error if passed an IP address.
When such verions of LibreSSL are used, this change not only fixes
the net/http tests, it also fixes tests for webrick and open-uri,
which both make SSL connections to 127.0.0.1 using net/http in
their tests.
Avoid warning in the openssl extension by unsetting
@ssl_context.verify_hostname if connecting to an IP address.
Make changes so that the post_connection_check still happens
when connecting to an IP address, which is necessary to keep
checking that the certificate returned includes the IP address,
which one of the tests depends on.
Revert the previous change that modified the regexp used for
checking the error message.
fa68e64bee
Renames `D` to `debug` in `Net::HTTP` and introduces an alias for
backwards compatibility. This was done for readability reasons, in that
`D` did not clearly reflect what the method was doing and can cause some
confusion.
582d6e87d6
The last_communicated timestamp is for HTTP persistent connection, to
decide whether the current TCP connection may be reused for the
subsequent requests or not. Naturally, the timer must be reset if the
connection is recreated since it is no longer relevant.
0a013de42d
It is not used in net/http library code since commit 15ccd0118c13
(r36473 in ruby svn trunk, 2012).
require's in test suite are also cleaned up.
996d18a43f
OpenSSL make take some time to initialize, and it would be best
to take that time before connecting instead of after.
From joshc on Redmine.
Fixes Ruby Bug #945914e09fba24
If someone sets an env variable defining a http_proxy, containing a
username / password with percent-encoded characters, then the resulting
base64 encoded auth header will be wrong.
For example, suppose a username is `Y\X` and the password is `R%S] ?X`.
Properly URL encoded the proxy url would be:
http://Y%5CX:R%25S%5D%20%3FX@proxy.example:8000
The resulting proxy auth header should be: `WVxYOlIlU10gP1g=`, but the
getters defined by ruby StdLib `URI` return a username `Y%5CX` and
password `R%25S%5D%20%3FX`, resulting in `WSU1Q1g6UiUyNVMlNUQlMjAlM0ZY`.
As a result the proxy will deny the request.
Please note that this is my first contribution to the ruby ecosystem, to
standard lib especially and I am not a ruby developer.
References:
- https://gitlab.com/gitlab-org/gitlab/-/issues/289836
- https://bugs.ruby-lang.org/projects/ruby-master/repository/trunk/revisions/58461
- https://bugs.ruby-lang.org/issues/17542e57d4f38aa
iff means if and only if, but readers without that knowledge might
assume this to be a spelling mistake. To me, this seems like
exclusionary language that is unnecessary. Simply using "if and only if"
instead should suffice.
ffb87cad32
"requiring version.rb" strategy has some issues.
- cannot work when cross-compiling
- often introduces wrong namespace
- must know the superclasses
- costs at each runtime than at build-time
etc.
Currently, Net::HTTP can only send a single SSL certificate when it
establishes a connection. Some use-cases involve sending an entire
certificate chain to the destination; for this, SSLContext supports
assigning to #extra_chain_cert=.
This adds support in Net::HTTP for exposing this underlying SSLContext
property to end-users. [Feature #9758]
* Let Net::HTTP.get take request headers
* Add more test cases for no header usages
* Add examples with request headers
* Add a NEWS entry [ci skip]
[Feature #16686]
According to https://github.com/ruby/openssl/pull/60,
> Currently an user who wants to do the hostname verification needs to
call SSLSocket#post_connection_check explicitly after the TLS connection
is established.
if an user who wants to skip the hostname verification,
SSLSocket#post_connection_check doesn't need to be called
https://bugs.ruby-lang.org/issues/16555
to replace the address for TCP/IP connection [Feature #5180]
There're 3 layers of hostname:
* host address for TCP/IP
* TLS server name
* HTTP Host header value
To test DNS round robin or check server certificate from server local,
people sometimes want to connect server with given IP address but keep
TLS server name and HTTP Host header value.
closes [Feature #15215]
closes https://github.com/ruby/ruby/pull/1893
closes https://github.com/ruby/ruby/pull/1977
An EPIPE when sending the request should be ignored. Even if you
cannot write more data, you may still be able to read the server's
response.
Fixes [Bug #14466]
So that classes which uses Net::HTTP with https can use OpenSSL
namespace for example exception classes like OpenSSL::SSL::SSLError.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@66401 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* lib/net/http.rb: Documentation for Net::HTTP claims that
multipart/form-data is not supported, but Net::HTTPHeader#set_form
supports it since 1.9.3.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@65230 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
When TLS 1.3 is in use, the session ticket may not have been sent yet
even though a handshake has finished. Also, the ticket could change if
multiple session ticket messages are sent by the server. Use
SSLContext#session_new_cb instead of calling SSLSocket#session
immediately after a handshake. This way also works with earlier protocol
versions.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64234 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Thanks to Paul Kuruvilla <rohitpaulk@gmail.com> for the patch
* lib/net/http.rb: fix documentation for HTTP connection reuse
[ruby-core:84815] [Bug #14349]
From: Paul Kuruvilla <rohitpaulk@gmail.com>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62113 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
If uplevel keyword is given, the warning message is prepended
with caller file and line information and the string "warning: ".
The use of the uplevel keyword makes Kernel#warn format output
similar to how rb_warn formats output.
This patch modifies net/ftp and net/imap to use Kernel#warn
instead of $stderr.puts or $stderr.printf, since they are used
for printing warnings.
This makes lib/cgi/core and tempfile use $stderr.puts instead of
warn for debug logging, since they are used for debug printing
and not for warning.
This does not modify bundler, rubygems, or rdoc, as those are
maintained outside of ruby and probably wish to remain backwards
compatible with older ruby versions.
rb_warn_m code is originally from nobu, but I've changed it
so that it only includes the path and lineno from uplevel
(not the method), and also prepends the string "warning: ",
to make it more similar to rb_warn.
From: Jeremy Evans code@jeremyevans.net
Signed-off-by: Urabe Shyouhei shyouhei@ruby-lang.org
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61155 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
