Problem with redirects after POST

[freegenie]

There's an issue with redirect that happen due to either require_ssl or refuse_ssl when the request is coming is not a GET one.
All params are given to redirect_to, this results in all fields being put in querystring on the destination page. This is obviously a security issue and needs to be fixed. A form should not know in advance if the destination resource accepts or refuses SSL.

[freegenie]

@vjt This fixed the problem, please have a look and let me know what you think about it.

4f90d12

It required me to setup a separate rails app to test it in production env.

[vjt]

Good catch.

But, I think we should simply raise an exception, as the resulting redirected request is useless having diffrerent request method and parameters than the original one.

I'm proposing an exception instead of an head(:forbidden) so that the application gets means to handle this situation using rescue_from().

Maybe SSLHelper::SSLRequired is a good name?

~Marcello (via iPhone)

~ marcello.barnaba@gmail.com
~ http://sindro.me/
~ http://www.linkedin.com/in/marcellobarnaba

On Jan 14, 2012, at 9:31 PM, Fabrizio Regini reply@reply.github.com wrote:

@vjt This fixed the problem, please have a look and let me know what you think about it.

4f90d12

It required me to setup a separate rails app to test it in production env.

---

Reply to this email directly or view it on GitHub:
#4 (comment)

[freegenie]

Raising SSLHelper::SSLRequired and SSLHelper::SSLRefused exceptions for non GET requests sounds good to me. I think letting the plugin transparently redirect to ssl/non-ssl URs on GET requests (with logged warnings) is safe and leaves room to interesting usage scenarios.

On 14/gen/2012, at 23.47, Marcello Barnaba wrote:

Good catch.

But, I think we should simply raise an exception, as the resulting redirected request is useless having diffrerent request method and parameters than the original one.

I'm proposing an exception instead of an head(:forbidden) so that the application gets means to handle this situation using rescue_from().

Maybe SSLHelper::SSLRequired is a good name?

~Marcello (via iPhone)

~ marcello.barnaba@gmail.com
~ http://sindro.me/
~ http://www.linkedin.com/in/marcellobarnaba

On Jan 14, 2012, at 9:31 PM, Fabrizio Regini reply@reply.github.com wrote:

@vjt This fixed the problem, please have a look and let me know what you think about it.

4f90d12

It required me to setup a separate rails app to test it in production env.

---

Reply to this email directly or view it on GitHub:
#4 (comment)

---

Reply to this email directly or view it on GitHub:
#4 (comment)

[vjt]

👏

[freegenie]

this should do the job c3929fe