问题
I'm trying to save a users facebook url into my db, but I get the following error.
redirection forbidden: http://graph.facebook.com/1240771104/picture -> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-prn2/t...
I've referenced this question but I think he is just calling an image instead of saving it to a db with a create block.
Here is my user model...
def self.find_for_facebook_oauth(auth, signed_in_resource=nil)
user = User.where(:provider => auth.provider, :uid => auth.uid).first
if user
return user
else
registered_user = User.where(:email => auth.info.email).first
if registered_user
return registered_user
else
user = User.create(
name:auth.extra.raw_info.name,
provider:auth.provider,
uid:auth.uid,
email:auth.info.email,
image:auth.info.image,
password:Devise.friendly_token[0,20],
)
end
end
end
I've added a URI helper below the 'def.self_for_facebook' because I think I just need to get the http to https. So I gathered from the other stack question.
private
def process_uri(uri)
require 'open-uri'
require 'open_uri_redirections'
open(uri, :allow_redirections => :safe) do |r|
r.base_uri.to_s
end
end
Do I need to add
if auth.info.image.present?
image_url = process_uri(auth.info.image)
user.update_attribute(:image, URI.parse(avatar_url))
end
to the create block? This:
if auth.info.image.present?
uri = URI.parse(auth.info.image)
uri.scheme = 'https'
user.update_attribute(:image, URI.parse(uri))
end
user = User.create(
name:auth.extra.raw_info.name,
provider:auth.provider,
uid:auth.uid,
email:auth.info.email,
password:Devise.friendly_token[0,20],
)
end
gets me...
bad URI(is not URI?): https://graph.facebook.com/1240771104/picture
But what's up with that. The link gets me the picture!! Aww man! I must be so close.
回答1:
In your user model
#user.rb
def self.find_for_facebook_oauth(auth, signed_in_resource=nil)
user = User.create( image:process_uri(auth.info.image))
end
private
def self.process_uri(uri)
require 'open-uri'
require 'open_uri_redirections'
open(uri, :allow_redirections => :safe) do |r|
r.base_uri.to_s
end
end
Or if you don't want to use open uri redirections gem then change process_uri method to
def self.process_uri(uri)
avatar_url = URI.parse(uri)
avatar_url.scheme = 'https'
avatar_url.to_s
end
回答2:
This seems to be caused by OpenURI.redirectable? method. It specifies:
def OpenURI.redirectable?(uri1, uri2) # :nodoc:
# This test is intended to forbid a redirection from http://... to
# file:///etc/passwd, file:///dev/zero, etc. CVE-2011-1521
# https to http redirect is also forbidden intentionally.
# It avoids sending secure cookie or referer by non-secure HTTP protocol.
# (RFC 2109 4.3.1, RFC 2965 3.3, RFC 2616 15.1.3)
# However this is ad hoc. It should be extensible/configurable.
uri1.scheme.downcase == uri2.scheme.downcase ||
(/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:http|ftp)\z/i =~ uri2.scheme)
end
The commenting implies (but does not clearly state) that http --> https redirect should be possible.
I solved this issue by creating a monkey-patch and overriding this method, updating the last line to:
(/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:http|ftp|https)\z/i =~ uri2.scheme)
来源:https://stackoverflow.com/questions/23071386/redirection-forbidden-bad-uri-facebook-paperclip-image