dice/impress
1
0
Fork 0
forked from OpenNeo/impress
Code Pull requests Activity

Disable HTTPS for SWF asset downloads

Browse source 
Whoops, everything broke because the world is far ahead of us on security! Oh well.
This commit is contained in:
Emi Matchu 2022-07-23 21:44:17 -07:00 committed by GitHub
parent aa75e2496f
commit 9540e2122b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
app/models/swf_asset.rb
View file

@ -261,9 +261,18 @@ class SwfAsset < ActiveRecord::Base
before_create do before_create do
uri = URI.parse url uri = URI.parse url
# NOTE: Our old Ruby can't do the HTTPS the images.neopets.com server
# wants. We turn it off instead! Sigh. Should be fine since we
# don't anticipate like, an MITM attack against our VPS.
#
# Also, we re-parse after setting the scheme, to change the
# class to URI:HTTP. This especially matters for URIs that
# were given to us as "//images.neopets.com", because they
# don't have a `request_uri` method.
uri.scheme = 'http'
uri = URI.parse(uri.to_s)
begin begin
http = Net::HTTP.new(uri.host, uri.port) http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = (uri.scheme == 'https')
response = http.get(uri.request_uri) response = http.get(uri.request_uri)
rescue Exception => e rescue Exception => e
raise DownloadError, e.message raise DownloadError, e.message