Disable HTTPS for SWF asset downloads

Whoops, everything broke because the world is far ahead of us on security! Oh well.
2022-07-23 21:44:17 -07:00 · 2022-07-23 21:44:17 -07:00 · 9540e2122b
commit 9540e2122b
parent aa75e2496f
1 changed files with 10 additions and 1 deletions
--- a/app/models/swf_asset.rb
+++ b/app/models/swf_asset.rb
@ -261,9 +261,18 @@ class SwfAsset < ActiveRecord::Base

  before_create do
    uri = URI.parse url
+    # NOTE: Our old Ruby can't do the HTTPS the images.neopets.com server
+    #       wants. We turn it off instead! Sigh. Should be fine since we
+    #       don't anticipate like, an MITM attack against our VPS.
+    #
+    #       Also, we re-parse after setting the scheme, to change the
+    #       class to URI:HTTP. This especially matters for URIs that
+    #       were given to us as "//images.neopets.com", because they
+    #       don't have a `request_uri` method.
+    uri.scheme = 'http'
+    uri = URI.parse(uri.to_s)
    begin
      http = Net::HTTP.new(uri.host, uri.port)
-      http.use_ssl = (uri.scheme == 'https')
      response = http.get(uri.request_uri)
    rescue Exception => e
      raise DownloadError, e.message