validate SSL certs by default (#692)

Required for integrations (GitHub, Twitter, etc.) but deliberately
disabled when fetching titles.

app/models/story.rb

@@ -915,6 +915,9 @@ class Story < ApplicationRecord
       begin
         s = Sponge.new
         s.timeout = 3
+        # User submitted URLs may have an incorrect https certificate, but we
+        # don't want to fail the retrieval for this. Security risk is minimal.
+        s.ssl_verify = false
         user_agent = { "User-agent" => "#{Rails.application.domain} for #{fetching_ip}" }
         @fetched_content = s.fetch(url, :get, nil, nil, user_agent, 3).body.force_encoding('utf-8')
       rescue

extras/sponge.rb

@@ -40,7 +40,7 @@ class Sponge
   MAX_TIME = 60
   MAX_DNS_TIME = 5
 
-  attr_accessor :debug, :last_res, :timeout
+  attr_accessor :debug, :last_res, :timeout, :ssl_verify
 
   # rfc3330
   BAD_NETS = [
@@ -60,12 +60,14 @@ class Sponge
   # old api
   def self.fetch(url, headers = {}, limit = 10)
     s = Sponge.new
+    s.ssl_verify = false # backward compatibility
     s.fetch(url, "get", nil, nil, headers, limit)
   end
 
   def initialize
     @cookies = {}
     @timeout = MAX_TIME
+    @ssl_verify = OpenSSL::SSL::VERIFY_PEER
   end
 
   def set_cookie(host, name, val)
@@ -156,7 +158,7 @@ class Sponge
       host.use_ssl = true
       host.address = uri.host
       host.custom_conn_address = ip.to_s
-      host.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      host.verify_mode = self.ssl_verify ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE
     end
 
     send_headers = headers.dup

script/send_new_webmentions

@@ -58,6 +58,9 @@ end
 def send_webmention(source, target, endpoint)
   sp = Sponge.new
   sp.timeout = 10
+  # Don't check SSL certificate here for backward compatibility, security risk
+  # is minimal.
+  sp.ssl_verify = false
   sp.fetch(endpoint.to_s, :post, {
     "source" => URI.encode_www_form_component(source),
     "target" => URI.encode_www_form_component(target),