#432: CL:OPEN on URL-PATHNAME does not redirect across different schemes ------------------------------+-------------------------- Reporter: aruttenberg | Owner: mevenson Type: defect | Status: accepted Priority: blocker | Milestone: 1.5.0 Component: streams | Version: 1.5.0-dev Resolution: | Keywords: has-test uri Parent Tickets: | ------------------------------+--------------------------
Comment (by mevenson):
Replying to [comment:11 aruttenberg]:
BTW, I don't buy that I should have to use truename every time I use a
URI to get appropriate behavior with a URI. I don't have to do that every time I use a file name.
I haven't suggested that one needs to use {{{CL:TRUENAME}}} every time one uses a {{{EXT:PATHNAME-URL}}}, merely that it provides some clue to the user about the need to follow redirects to access the representation.
While I think your concerns about security are well-motivated, I think
they are out of place here. Common lisp was not engineered for security, and bits and pieces here and there being secure won't change that. If there's a need for a more secure use of common lisp that needs to be implemented by some package, with a new set of APIs and documentation explaining what the "secure" package brings to the table.
In creating the possibility to load resources from the network via {{{EXT ::PATHNAME-URL}}} references, it is incumbent to follow a "principle of least surprise" to the user of these new abstractions, irrespective of the security concerns of Common Lisp, the language (which probably "don't exist" in the first place). As such, to have a request for a resource via the 'https' schema get redirected through a 'http' connection while leaking information certainly would cause surprise to the user, and should be avoided if possible.
-- Ticket URL: http://abcl.org/trac/ticket/432#comment:12 armedbear http://abcl.org armedbear