redirection forbidden / bad uri (facebook) paperclip image

Question

I'm trying to save a users facebook url into my db, but I get the following error.

redirection forbidden: http://graph.facebook.com/1240771104/picture -> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-prn2/t...

I've referenced this question but I think he is just calling an image instead of saving it to a db with a create block.

Here is my user model...

def self.find_for_facebook_oauth(auth, signed_in_resource=nil)
    user = User.where(:provider => auth.provider, :uid => auth.uid).first
    if user
      return user
    else
      registered_user = User.where(:email => auth.info.email).first
      if registered_user
        return registered_user
      else
        user = User.create( 
                            name:auth.extra.raw_info.name,
                            provider:auth.provider,
                            uid:auth.uid,
                            email:auth.info.email,
                            image:auth.info.image,
                            password:Devise.friendly_token[0,20],
                          )
      end    
    end
end

I've added a URI helper below the 'def.self_for_facebook' because I think I just need to get the http to https. So I gathered from the other stack question.

private

def process_uri(uri)
  require 'open-uri'
  require 'open_uri_redirections'
  open(uri, :allow_redirections => :safe) do |r|
  r.base_uri.to_s
  end
end

Do I need to add

if auth.info.image.present?
  image_url = process_uri(auth.info.image)
  user.update_attribute(:image, URI.parse(avatar_url))
end

to the create block? This:

        if auth.info.image.present?
            uri = URI.parse(auth.info.image)
            uri.scheme = 'https'
            user.update_attribute(:image, URI.parse(uri))
        end

        user = User.create( 
                            name:auth.extra.raw_info.name,
                            provider:auth.provider,
                            uid:auth.uid,
                            email:auth.info.email,
                            password:Devise.friendly_token[0,20],
                          )

      end    

gets me...

bad URI(is not URI?): https://graph.facebook.com/1240771104/picture

But what's up with that. The link gets me the picture!! Aww man! I must be so close.

Answer 1

In your user model

#user.rb
def self.find_for_facebook_oauth(auth, signed_in_resource=nil)
    user = User.create( image:process_uri(auth.info.image))
end

private

def self.process_uri(uri)
  require 'open-uri'
  require 'open_uri_redirections'
  open(uri, :allow_redirections => :safe) do |r|
    r.base_uri.to_s
  end
end

Or if you don't want to use open uri redirections gem then change process_uri method to

def self.process_uri(uri)
   avatar_url = URI.parse(uri)
   avatar_url.scheme = 'https'
   avatar_url.to_s
end

Answer 2

This seems to be caused by OpenURI.redirectable? method. It specifies:

def OpenURI.redirectable?(uri1, uri2) # :nodoc:
# This test is intended to forbid a redirection from http://... to
# file:///etc/passwd, file:///dev/zero, etc.  CVE-2011-1521
# https to http redirect is also forbidden intentionally.
# It avoids sending secure cookie or referer by non-secure HTTP protocol.
# (RFC 2109 4.3.1, RFC 2965 3.3, RFC 2616 15.1.3)
# However this is ad hoc.  It should be extensible/configurable.
uri1.scheme.downcase == uri2.scheme.downcase ||
(/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:http|ftp)\z/i =~ uri2.scheme)

end

The commenting implies (but does not clearly state) that http --> https redirect should be possible.

I solved this issue by creating a monkey-patch and overriding this method, updating the last line to:

(/\A(?:http|ftp)\z/i =~ uri1.scheme && /\A(?:http|ftp|https)\z/i =~ uri2.scheme)