Question

我试图将用户的facebook网址保存到我的数据库中，但是我收到以下错误。

redirection forbidden: http://graph.facebook.com/1240771104/picture -> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-prn2/t...

我引用了this个问题，但我认为他只是调用图像而不是将其保存到带有创建块的数据库中。

这是我的用户模型......

def self.find_for_facebook_oauth(auth, signed_in_resource=nil)
    user = User.where(:provider => auth.provider, :uid => auth.uid).first
    if user
      return user
    else
      registered_user = User.where(:email => auth.info.email).first
      if registered_user
        return registered_user
      else
        user = User.create( 
                            name:auth.extra.raw_info.name,
                            provider:auth.provider,
                            uid:auth.uid,
                            email:auth.info.email,
                            image:auth.info.image,
                            password:Devise.friendly_token[0,20],
                          )
      end    
    end
end

我已经在＆＃39; def.self_for_facebook＆＃39;下添加了一个URI助手。因为我认为我只需要将http发送到https。所以我从另一个堆栈问题中收集了。

private

def process_uri(uri)
  require 'open-uri'
  require 'open_uri_redirections'
  open(uri, :allow_redirections => :safe) do |r|
  r.base_uri.to_s
  end
end

我需要添加

吗？

if auth.info.image.present?
  image_url = process_uri(auth.info.image)
  user.update_attribute(:image, URI.parse(avatar_url))
end

到创建块？此：

        if auth.info.image.present?
            uri = URI.parse(auth.info.image)
            uri.scheme = 'https'
            user.update_attribute(:image, URI.parse(uri))
        end

        user = User.create( 
                            name:auth.extra.raw_info.name,
                            provider:auth.provider,
                            uid:auth.uid,
                            email:auth.info.email,
                            password:Devise.friendly_token[0,20],
                          )

      end

让我......

bad URI(is not URI?): https://graph.facebook.com/1240771104/picture

但那是什么呢？链接让我看到了!!哇男人！我必须如此亲密。

Answer 1

在您的用户模型中

#user.rb
def self.find_for_facebook_oauth(auth, signed_in_resource=nil)
    user = User.create( image:process_uri(auth.info.image))
end

private

def self.process_uri(uri)
  require 'open-uri'
  require 'open_uri_redirections'
  open(uri, :allow_redirections => :safe) do |r|
    r.base_uri.to_s
  end
end

或者，如果您不想使用open uri redirections gem，请将process_uri方法更改为

def self.process_uri(uri)
   avatar_url = URI.parse(uri)
   avatar_url.scheme = 'https'
   avatar_url.to_s
end

Answer 2

这似乎是由OpenURI.redirectable引起的？方法。它指定：

def OpenURI.redirectable?(uri1, uri2) # :nodoc:
# This test is intended to forbid a redirection from http://... to
# file:///etc/passwd, file:///dev/zero, etc.  CVE-2011-1521
# https to http redirect is also forbidden intentionally.
# It avoids sending secure cookie or referer by non-secure HTTP protocol.
# (RFC 2109 4.3.1, RFC 2965 3.3, RFC 2616 15.1.3)
# However this is ad hoc.  It should be extensible/configurable.
uri1.scheme.downcase == uri2.scheme.downcase ||
(/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:http|ftp)\z/i =~ uri2.scheme)

端

评论意味着（但没有明确说明）http - ＆gt;应该可以进行https重定向。

我通过创建一个猴子补丁并重写此方法解决了这个问题，将最后一行更新为：

(/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:http|ftp|https)\z/i =~ uri2.scheme)

重定向禁止/坏uri（脸谱）回形针图像

2 个答案: