http.rb 0.18.2 → 0.19.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5cdc1621048e0c428eb0b0c2ae81ae534921007746d58b426cc1185e6a77557a
-  data.tar.gz: 80f9b3f58b9c410093e74243b6a23ac364a50c3579c47ddf51e3e77e9b80a769
+  metadata.gz: 114eef76572ba0ee1ef7efbb61fe704870a80c9bdc7d45cd5fca467de12658f6
+  data.tar.gz: bc249e876babf5aa7a4369272675e6194fc25f1816d474ef8080ad107fa1c60c
 SHA512:
-  metadata.gz: 63d22c4b9ed0a909a8a72dcf9cf00f44d0aad730f5e6bdd0aef6a70616bf27b12b81737ee71f5e5d368d46142355fe7046cafe633d5e6b3b744b4c19c8e42d16
-  data.tar.gz: f5bc846fae0969a4892926c1d739a549de54dc1a4765a4996bcbf56144c4d56bfedfb1044fd7399d3cfcfb7cfcd4ee4eca88c11c8c93433b665f1094d96ddd2f
+  metadata.gz: 516e828dced10204ba4b850904d7c195c027166b1dc0dcd575e09403ef5b26da936b925ab7fdfd4c0fb3c7a3e3cf8c44585a562ac647ffbf4451804b35aa9b9a
+  data.tar.gz: f3c7dc2350bd17d98abdfe9c2deb98b0923def00ea790fffbc8919280399cb5c3d5e65eaed530abb86850a54e2e790591a1c1e9f6a91a03ff2c90611c08d2760

data/CHANGELOG

@@ -1,5 +1,26 @@
 # CHANGELOG
 
+# 20260522
+# 0.19.0: Change default verify_mode to VERIFY_PEER.
+1. ~ HTTP.request: Default verify_mode changed from OpenSSL::SSL::VERIFY_NONE to OpenSSL::SSL::VERIFY_PEER. Callers needing the old behaviour can pass verify_mode: OpenSSL::SSL::VERIFY_NONE explicitly through the options hash.
+2. ~ spec/HTTP/get_spec.rb: + specs for default verify_mode and explicit VERIFY_NONE override; /verify_mode: 0/verify_mode: OpenSSL::SSL::VERIFY_PEER/ in redirect specs.
+3. ~ spec/HTTP/post_spec.rb: /verify_mode: 0/verify_mode: OpenSSL::SSL::VERIFY_PEER/ in redirect specs.
+4. ~ spec/HTTP/put_spec.rb: /verify_mode: 0/verify_mode: OpenSSL::SSL::VERIFY_PEER/ in redirect specs.
+5. ~ spec/HTTP/delete_spec.rb: /verify_mode: 0/verify_mode: OpenSSL::SSL::VERIFY_PEER/ in redirect specs.
+6. ~ README.md: Note the new verify_mode default and how to opt back into VERIFY_NONE.
+7. ~ HTTP::VERSION: /0.18.3/0.19.0/
+8. ~ CHANGELOG: + 0.19.0 entry
+
+# 20260521
+# 0.18.3: Fix verb preservation on 307/308 redirects.
+1. ~ HTTP.request: Use original verb when following 307 or 308 redirects, per RFC 7231 §6.4.7 and RFC 7538. 301/302/303 keep legacy GET-on-redirect behaviour.
+2. ~ spec/HTTP/post_spec.rb: + specs for 307/308 verb preservation and 307 body preservation.
+3. ~ spec/HTTP/put_spec.rb: + spec for 307 verb preservation.
+4. ~ spec/HTTP/delete_spec.rb: + spec for 307 verb preservation.
+5. ~ spec/spec_helper.rb: Skip webmock's http_rb adapter, which collides with this gem's HTTP module on case-insensitive filesystems.
+6. ~ HTTP::VERSION: /0.18.2/0.18.3/
+7. ~ CHANGELOG: + 0.18.3 entry
+
 # 20260520
 # 0.18.2: Fix relative redirect URL construction.
 1. ~ HTTP.request: Use URI#merge for redirect URL construction. Preserves original scheme, elides default ports, and resolves relative paths per RFC 3986.

data/README.md

@@ -241,6 +241,10 @@ verify_mode
     # SSL/TLS session.
     #
     # OpenSSL::SSL::VERIFY_NONE or OpenSSL::SSL::VERIFY_PEER are acceptable.
+    #
+    # Defaults to OpenSSL::SSL::VERIFY_PEER as of 0.19.0. To opt back into the
+    # previous behaviour, pass verify_mode: OpenSSL::SSL::VERIFY_NONE through
+    # the options hash.
 ```
 
 ## Contributing

data/lib/HTTP/VERSION.rb

@@ -2,5 +2,5 @@
 # HTTP::VERSION
 
 module HTTP
-  VERSION = '0.18.2'
+  VERSION = '0.19.0'
 end

data/lib/HTTP/request.rb

@@ -16,7 +16,7 @@ module HTTP
     http = Net::HTTP.new(uri.host, uri.port)
     no_redirect = options.delete(:no_redirect)
     options[:use_ssl] ||= uri.use_ssl?
-    options[:verify_mode] ||= OpenSSL::SSL::VERIFY_NONE
+    options[:verify_mode] ||= OpenSSL::SSL::VERIFY_PEER
     http.options = options
     request_object.headers = headers
     request_object.basic_auth(uri.user, uri.password) if uri.user
@@ -28,7 +28,13 @@ module HTTP
         return response
       end
       redirect_uri = uri.merge(response.header['location'])
-      response = get(redirect_uri.to_s, {}, {}, options, &block)
+      if response.code =~ /^30[78]$/
+        verb = request_object.method.downcase.to_sym
+        data = VERBS::WITH_BODY.include?(verb) ? request_object.body : {}
+        response = send(verb, redirect_uri.to_s, data, headers, options, &block)
+      else
+        response = get(redirect_uri.to_s, {}, {}, options, &block)
+      end
     end
     if block_given?
       yield response

data/spec/HTTP/delete_spec.rb

@@ -148,7 +148,7 @@ describe ".delete" do
 
       it "does a redirect" do
         expect(HTTP).to receive(:delete).once.with(request_uri).and_call_original
-        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: 0}).and_call_original
+        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original
         response = HTTP.delete(request_uri)
         expect(response.success?).to eq(true)
       end
@@ -163,7 +163,7 @@ describe ".delete" do
 
       it "does a redirect" do
         expect(HTTP).to receive(:delete).once.with(request_uri).and_call_original
-        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: 0}).and_call_original
+        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original
         response = HTTP.delete(request_uri)
         expect(response.success?).to eq(true)
       end
@@ -190,7 +190,7 @@ describe ".delete" do
 
       it "does a redirect" do
         expect(HTTP).to receive(:delete).once.with(request_uri).and_call_original
-        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: 0}).and_call_original
+        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original
         response = HTTP.delete(request_uri)
         expect(response.success?).to eq(true)
       end
@@ -205,13 +205,34 @@ describe ".delete" do
 
       it "does a redirect" do
         expect(HTTP).to receive(:delete).once.with(request_uri).and_call_original
-        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: 0}).and_call_original
+        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original
         response = HTTP.delete(request_uri)
         expect(response.success?).to eq(true)
       end
     end
   end
 
+  context "with verb-preserving redirection via 307" do
+    let(:request_uri){'http://example.com/path'}
+    let(:redirect_uri){'http://redirected.com'}
+
+    before do
+      stub_request(:delete, request_uri).
+        with(headers: {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent'=>'Ruby'}).
+          to_return(status: 307, body: '', headers: {'location' => redirect_uri})
+      stub_request(:delete, redirect_uri).
+        with(headers: {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent'=>'Ruby'}).
+          to_return(status: 200, body: '', headers: {})
+    end
+
+    it "preserves the verb" do
+      expect(HTTP).to receive(:delete).with(request_uri).and_call_original.ordered
+      expect(HTTP).to receive(:delete).with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original.ordered
+      response = HTTP.delete(request_uri)
+      expect(response.success?).to eq(true)
+    end
+  end
+
   context "no_redirect true" do
     let(:request_uri){'http://example.com/path'}
     let(:redirect_uri){'http://redirected.com'}

data/spec/HTTP/get_spec.rb

@@ -115,6 +115,32 @@ describe ".get" do
     end
   end
 
+  context "with default verify_mode" do
+    let(:uri){'http://example.com/path'}
+    let(:parsed_uri){URI.parse(uri)}
+    let(:net_http_object){Net::HTTP.new(parsed_uri.host, parsed_uri.port)}
+
+    before do
+      stub_request(:get, uri).
+        with(headers: {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent'=>'Ruby'}).
+          to_return(status: 200, body: '', headers: {})
+    end
+
+    it "defaults verify_mode to OpenSSL::SSL::VERIFY_PEER" do
+      allow(Net::HTTP).to receive(:new).with(parsed_uri.host, parsed_uri.port).and_return(net_http_object)
+      response = HTTP.get(uri)
+      expect(net_http_object.verify_mode).to eq(OpenSSL::SSL::VERIFY_PEER)
+      expect(response.success?).to eq(true)
+    end
+
+    it "allows opting back into VERIFY_NONE via options" do
+      allow(Net::HTTP).to receive(:new).with(parsed_uri.host, parsed_uri.port).and_return(net_http_object)
+      response = HTTP.get(uri, {}, {}, {verify_mode: OpenSSL::SSL::VERIFY_NONE})
+      expect(net_http_object.verify_mode).to eq(OpenSSL::SSL::VERIFY_NONE)
+      expect(response.success?).to eq(true)
+    end
+  end
+
   context "with block supplied" do
     let(:uri){'http://example.com/path'}
 
@@ -148,7 +174,7 @@ describe ".get" do
 
       it "does a redirect" do
         expect(HTTP).to receive(:get).once.with(request_uri).and_call_original
-        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: 0}).and_call_original
+        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original
         response = HTTP.get(request_uri)
         expect(response.success?).to eq(true)
       end
@@ -163,7 +189,7 @@ describe ".get" do
 
       it "does a redirect" do
         expect(HTTP).to receive(:get).once.with(request_uri).and_call_original
-        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: 0}).and_call_original
+        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original
         response = HTTP.get(request_uri)
         expect(response.success?).to eq(true)
       end
@@ -190,7 +216,7 @@ describe ".get" do
 
       it "does a redirect" do
         expect(HTTP).to receive(:get).once.with(request_uri).and_call_original
-        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: 0}).and_call_original
+        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original
         response = HTTP.get(request_uri)
         expect(response.success?).to eq(true)
       end
@@ -205,7 +231,7 @@ describe ".get" do
 
       it "does a redirect" do
         expect(HTTP).to receive(:get).once.with(request_uri).and_call_original
-        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: 0}).and_call_original
+        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original
         response = HTTP.get(request_uri)
         expect(response.success?).to eq(true)
       end
@@ -228,7 +254,7 @@ describe ".get" do
 
     it "preserves the HTTPS scheme on a relative redirect" do
       expect(HTTP).to receive(:get).once.with(request_uri).and_call_original
-      expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: true, verify_mode: 0}).and_call_original
+      expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: true, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original
       response = HTTP.get(request_uri)
       expect(response.success?).to eq(true)
     end

data/spec/HTTP/post_spec.rb

@@ -286,7 +286,7 @@ describe ".post" do
 
       it "does a redirect" do
         expect(HTTP).to receive(:post).once.with(request_uri).and_call_original
-        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: 0}).and_call_original
+        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original
         response = HTTP.post(request_uri)
         expect(response.success?).to eq(true)
       end
@@ -301,7 +301,7 @@ describe ".post" do
 
       it "does a redirect" do
         expect(HTTP).to receive(:post).once.with(request_uri).and_call_original
-        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: 0}).and_call_original
+        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original
         response = HTTP.post(request_uri)
         expect(response.success?).to eq(true)
       end
@@ -328,7 +328,7 @@ describe ".post" do
 
       it "does a redirect" do
         expect(HTTP).to receive(:post).once.with(request_uri).and_call_original
-        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: 0}).and_call_original
+        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original
         response = HTTP.post(request_uri)
         expect(response.success?).to eq(true)
       end
@@ -343,13 +343,75 @@ describe ".post" do
 
       it "does a redirect" do
         expect(HTTP).to receive(:post).once.with(request_uri).and_call_original
-        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: 0}).and_call_original
+        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original
         response = HTTP.post(request_uri)
         expect(response.success?).to eq(true)
       end
     end
   end
 
+  context "with verb-preserving redirection" do
+    let(:request_uri){'http://example.com/path'}
+    let(:redirect_uri){'http://redirected.com'}
+
+    before do
+      stub_request(:post, redirect_uri).
+        with(headers: {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent'=>'Ruby'}).
+          to_return(status: 200, body: '', headers: {})
+    end
+
+    context "via 307" do
+      before do
+        stub_request(:post, request_uri).
+          with(headers: {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent'=>'Ruby'}).
+            to_return(status: 307, body: '', headers: {'location' => redirect_uri})
+      end
+
+      it "preserves the verb" do
+        expect(HTTP).to receive(:post).with(request_uri).and_call_original.ordered
+        expect(HTTP).to receive(:post).with(redirect_uri, '', {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original.ordered
+        response = HTTP.post(request_uri)
+        expect(response.success?).to eq(true)
+      end
+    end
+
+    context "via 308" do
+      before do
+        stub_request(:post, request_uri).
+          with(headers: {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent'=>'Ruby'}).
+            to_return(status: 308, body: '', headers: {'location' => redirect_uri})
+      end
+
+      it "preserves the verb" do
+        expect(HTTP).to receive(:post).with(request_uri).and_call_original.ordered
+        expect(HTTP).to receive(:post).with(redirect_uri, '', {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original.ordered
+        response = HTTP.post(request_uri)
+        expect(response.success?).to eq(true)
+      end
+    end
+  end
+
+  context "with body-preserving redirection via 307" do
+    let(:request_uri){'http://example.com/path'}
+    let(:redirect_uri){'http://redirected.com'}
+    let(:args) do; {a: 1, b: 2}; end
+    let(:encoded_form_data){args.x_www_form_urlencode}
+
+    before do
+      stub_request(:post, request_uri).
+        with(body: encoded_form_data).
+          to_return(status: 307, body: '', headers: {'location' => redirect_uri})
+      stub_request(:post, redirect_uri).
+        with(body: encoded_form_data).
+          to_return(status: 200, body: '', headers: {})
+    end
+
+    it "preserves the body" do
+      response = HTTP.post(request_uri, args)
+      expect(response.success?).to eq(true)
+    end
+  end
+
   context "no_redirect true" do
     let(:request_uri){'http://example.com/path'}
     let(:redirect_uri){'http://redirected.com'}

data/spec/HTTP/put_spec.rb

@@ -286,7 +286,7 @@ describe ".put" do
 
       it "does a redirect" do
         expect(HTTP).to receive(:put).once.with(request_uri).and_call_original
-        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: 0}).and_call_original
+        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original
         response = HTTP.put(request_uri)
         expect(response.success?).to eq(true)
       end
@@ -301,7 +301,7 @@ describe ".put" do
 
       it "does a redirect" do
         expect(HTTP).to receive(:put).once.with(request_uri).and_call_original
-        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: 0}).and_call_original
+        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original
         response = HTTP.put(request_uri)
         expect(response.success?).to eq(true)
       end
@@ -328,7 +328,7 @@ describe ".put" do
 
       it "does a redirect" do
         expect(HTTP).to receive(:put).once.with(request_uri).and_call_original
-        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: 0}).and_call_original
+        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original
         response = HTTP.put(request_uri)
         expect(response.success?).to eq(true)
       end
@@ -343,13 +343,34 @@ describe ".put" do
 
       it "does a redirect" do
         expect(HTTP).to receive(:put).once.with(request_uri).and_call_original
-        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: 0}).and_call_original
+        expect(HTTP).to receive(:get).once.with(redirect_uri, {}, {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original
         response = HTTP.put(request_uri)
         expect(response.success?).to eq(true)
       end
     end
   end
 
+  context "with verb-preserving redirection via 307" do
+    let(:request_uri){'http://example.com/path'}
+    let(:redirect_uri){'http://redirected.com'}
+
+    before do
+      stub_request(:put, request_uri).
+        with(headers: {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent'=>'Ruby'}).
+          to_return(status: 307, body: '', headers: {'location' => redirect_uri})
+      stub_request(:put, redirect_uri).
+        with(headers: {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent'=>'Ruby'}).
+          to_return(status: 200, body: '', headers: {})
+    end
+
+    it "preserves the verb" do
+      expect(HTTP).to receive(:put).with(request_uri).and_call_original.ordered
+      expect(HTTP).to receive(:put).with(redirect_uri, '', {}, {use_ssl: false, verify_mode: OpenSSL::SSL::VERIFY_PEER}).and_call_original.ordered
+      response = HTTP.put(request_uri)
+      expect(response.success?).to eq(true)
+    end
+  end
+
   context "no_redirect true" do
     let(:request_uri){'http://example.com/path'}
     let(:redirect_uri){'http://redirected.com'}

data/spec/spec_helper.rb

@@ -3,4 +3,13 @@
 lib_dir = File.expand_path(File.join(__FILE__, '..', '..', 'lib'))
 $LOAD_PATH.unshift(lib_dir) unless $LOAD_PATH.include?(lib_dir)
 
+# Skip webmock's http_rb adapter: it auto-requires 'http', which collides
+# with this gem's lib/HTTP.rb on case-insensitive filesystems and crashes
+# while trying to monkey-patch the wrong HTTP module.
+gem 'webmock'
+$LOADED_FEATURES << File.join(
+  Gem.loaded_specs['webmock'].full_gem_path,
+  'lib/webmock/http_lib_adapters/http_rb_adapter.rb'
+)
+
 require 'webmock/rspec'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: http.rb
 version: !ruby/object:Gem::Version
-  version: 0.18.2
+  version: 0.19.0
 platform: ruby
 authors:
 - thoran