ruby-oauth · pboling · Oct 31, 2021 · Apr 25, 2021 · Apr 26, 2021 · Oct 31, 2021
diff --git a/lib/oauth/consumer.rb b/lib/oauth/consumer.rb
@@ -242,16 +242,18 @@ def token_request(http_method, path, token = nil, request_options = {}, *argumen
           end
         end
       when (300..399)
-        # this is a redirect
+        # Parse redirect to follow
         uri = URI.parse(response["location"])
         our_uri = URI.parse(site)
 
+        # Guard against infinite redirects
+        response.error! if uri.path == path && our_uri.host == uri.host
+
         if uri.path == path && our_uri.host != uri.host
             options[:site] = "#{uri.scheme}://#{uri.host}"
             @http = create_http
         end
 
-        response.error! if uri.path == path && our_uri.host == uri.host # careful of those infinite redirects
         self.token_request(http_method, uri.path, token, request_options, arguments)
       when (400..499)
         raise OAuth::Unauthorized, response

diff --git a/test/units/test_consumer.rb b/test/units/test_consumer.rb
@@ -263,6 +263,22 @@ def test_follow_redirect_different_host_same_path
     assert_equal "secret", hash[:oauth_token_secret]
   end
 
+  def test_not_following_redirect_with_same_uri
+    request_uri = URI.parse("http://example.com/request_token")
+    redirect_uri = request_uri.clone
+
+    stub_request(:get, request_uri.to_s).to_return(
+      :status => 301,
+      :headers => {"Location" => redirect_uri.to_s}
+    )
+
+    assert_raises Net::HTTPRetriableError do
+      @consumer.token_request(:get, request_uri.path) do
+        { :oauth_token => "token", :oauth_token_secret => "secret" }
+      end
+    end
+  end
+
   def test_that_can_provide_a_block_to_interpret_a_request_token_response
     @consumer.expects(:request).returns(create_stub_http_response)