From: straight-shoota <noreply@...>
Date: 2022-11-28T23:46:13+00:00
Subject: [ruby-core:111040] [Ruby master Bug#19157] URI bad component validation can be tricked

Issue #19157 has been reported by straight-shoota (Johannes M�ller).



----------------------------------------

Bug #19157: URI bad component validation can be tricked

https://bugs.ruby-lang.org/issues/19157



* Author: straight-shoota (Johannes M�ller)

* Status: Open

* Priority: Normal

* ruby -v: 3.1.3

* Backport: 2.7: UNKNOWN, 3.0: UNKNOWN, 3.1: UNKNOWN

----------------------------------------

`URI::HTTP` checks the validity of the URI components. For example, the path of a URI with authority component must be either empty or start with a slash.



This validation applies on the `.build` constructor as well as on the `path` setter.

But it can be tricked when setting an empty authority component and scheme before setting a relative path, and then setting the authority and scheme again.

This produces an invalid and incorrect URI.



``` ruby

require "uri"



uri = URI::HTTP.build({})

uri.scheme = nil

uri.path = "resource"

uri.host = "example.com" # this should raise URI::InvalidComponentError

uri.scheme = "http"

uri.to_s # => "http://example.comresource"

```









-- 

https://bugs.ruby-lang.org/

 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/