重定向禁止/坏uri(脸谱)回形针图像
我正在尝试将用户的facebook url保存到我的数据库中,但是我收到以下错误。
redirection forbidden: http://graph.facebook.com/1240771104/picture -> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-prn2/t...
我已经引用了这个问题,但我认为他只是调用一个图像而不是将其保存到带有创建块的数据库中。
这是我的用户模型……
def self.find_for_facebook_oauth(auth, signed_in_resource=nil) user = User.where(:provider => auth.provider, :uid => auth.uid).first if user return user else registered_user = User.where(:email => auth.info.email).first if registered_user return registered_user else user = User.create( name:auth.extra.raw_info.name, provider:auth.provider, uid:auth.uid, email:auth.info.email, image:auth.info.image, password:Devise.friendly_token[0,20], ) end end end
我在’def.self_for_facebook’下面添加了一个URI帮助器,因为我认为我只需要将http发送到https。 所以我从另一个堆栈问题中收集到了。
private def process_uri(uri) require 'open-uri' require 'open_uri_redirections' open(uri, :allow_redirections => :safe) do |r| r.base_uri.to_s end end
我需要添加吗?
if auth.info.image.present? image_url = process_uri(auth.info.image) user.update_attribute(:image, URI.parse(avatar_url)) end
到创建块? 这个:
if auth.info.image.present? uri = URI.parse(auth.info.image) uri.scheme = 'https' user.update_attribute(:image, URI.parse(uri)) end user = User.create( name:auth.extra.raw_info.name, provider:auth.provider, uid:auth.uid, email:auth.info.email, password:Devise.friendly_token[0,20], ) end
抓住我……
bad URI(is not URI?): https://graph.facebook.com/1240771104/picture
但那是怎么回事。 链接让我看到了!! 哇男人! 我必须如此亲密。
在您的用户模型中
#user.rb def self.find_for_facebook_oauth(auth, signed_in_resource=nil) user = User.create( image:process_uri(auth.info.image)) end private def self.process_uri(uri) require 'open-uri' require 'open_uri_redirections' open(uri, :allow_redirections => :safe) do |r| r.base_uri.to_s end end
或者,如果您不想使用open uri redirections
gem,则将process_uri
方法更改为
def self.process_uri(uri) avatar_url = URI.parse(uri) avatar_url.scheme = 'https' avatar_url.to_s end
这似乎是由OpenURI.redirectable引起的? 方法。 它规定:
def OpenURI.redirectable?(uri1, uri2) # :nodoc: # This test is intended to forbid a redirection from http://... to # file:///etc/passwd, file:///dev/zero, etc. CVE-2011-1521 # https to http redirect is also forbidden intentionally. # It avoids sending secure cookie or referer by non-secure HTTP protocol. # (RFC 2109 4.3.1, RFC 2965 3.3, RFC 2616 15.1.3) # However this is ad hoc. It should be extensible/configurable. uri1.scheme.downcase == uri2.scheme.downcase || (/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:http|ftp)\z/i =~ uri2.scheme)
结束
评论意味着(但没有明确说明)http – > https重定向应该是可能的。
我通过创建一个猴子补丁并重写此方法解决了这个问题,将最后一行更新为:
(/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:http|ftp|https)\z/i =~ uri2.scheme)