diff --git a/lib/oauth/consumer.rb b/lib/oauth/consumer.rb index 4ab2c9f1..ccb0b8a9 100644 --- a/lib/oauth/consumer.rb +++ b/lib/oauth/consumer.rb @@ -242,16 +242,18 @@ def token_request(http_method, path, token = nil, request_options = {}, *argumen end end when (300..399) - # this is a redirect - uri = URI.parse(response["location"]) + # Parse redirect to follow + uri = URI.parse(response['location']) our_uri = URI.parse(site) + # Guard against infinite redirects + response.error! if uri.path == path && our_uri.host == uri.host + if uri.path == path && our_uri.host != uri.host options[:site] = "#{uri.scheme}://#{uri.host}" @http = create_http end - response.error! if uri.path == path && our_uri.host == uri.host # careful of those infinite redirects self.token_request(http_method, uri.path, token, request_options, arguments) when (400..499) raise OAuth::Unauthorized, response diff --git a/test/units/test_consumer.rb b/test/units/test_consumer.rb index 869d0289..43eecf7d 100644 --- a/test/units/test_consumer.rb +++ b/test/units/test_consumer.rb @@ -263,6 +263,22 @@ def test_follow_redirect_different_host_same_path assert_equal "secret", hash[:oauth_token_secret] end + def test_not_following_redirect_with_same_uri + request_uri = URI.parse("http://example.com/request_token") + redirect_uri = request_uri.clone + + stub_request(:get, request_uri.to_s).to_return( + :status => 301, + :headers => {'Location' => redirect_uri.to_s} + ) + + assert_raises Net::HTTPRetriableError do + @consumer.token_request(:get, request_uri.path) { + { :oauth_token => 'token', :oauth_token_secret => 'secret' } + } + end + end + def test_that_can_provide_a_block_to_interpret_a_request_token_response @consumer.expects(:request).returns(create_stub_http_response)