Issue #19157 has been reported by straight-shoota (Johannes Müller).
----------------------------------------
Bug #19157: URI bad component validation can be tricked
https://bugs.ruby-lang.org/issues/19157
* Author: straight-shoota (Johannes Müller)
* Status: Open
* Priority: Normal
* ruby -v: 3.1.3
* Backport: 2.7: UNKNOWN, 3.0: UNKNOWN, 3.1: UNKNOWN
----------------------------------------
`URI::HTTP` checks the validity of the URI components. For example, the path of a URI with
authority component must be either empty or start with a slash.
This validation applies on the `.build` constructor as well as on the `path` setter.
But it can be tricked when setting an empty authority component and scheme before setting
a relative path, and then setting the authority and scheme again.
This produces an invalid and incorrect URI.
``` ruby
require "uri"
uri = URI::HTTP.build({})
uri.scheme = nil
uri.path = "resource"
uri.host = "example.com" # this should raise URI::InvalidComponentError
uri.scheme = "http"
uri.to_s # => "http://example.comresource"
```
--
https://bugs.ruby-lang.org/