Issue #19157 has been reported by straight-shoota (Johannes Müller). ---------------------------------------- Bug #19157: URI bad component validation can be tricked https://bugs.ruby-lang.org/issues/19157 * Author: straight-shoota (Johannes Müller) * Status: Open * Priority: Normal * ruby -v: 3.1.3 * Backport: 2.7: UNKNOWN, 3.0: UNKNOWN, 3.1: UNKNOWN ---------------------------------------- `URI::HTTP` checks the validity of the URI components. For example, the path of a URI with authority component must be either empty or start with a slash. This validation applies on the `.build` constructor as well as on the `path` setter. But it can be tricked when setting an empty authority component and scheme before setting a relative path, and then setting the authority and scheme again. This produces an invalid and incorrect URI. ``` ruby require "uri" uri = URI::HTTP.build({}) uri.scheme = nil uri.path = "resource" uri.host = "example.com" # this should raise URI::InvalidComponentError uri.scheme = "http" uri.to_s # => "http://example.comresource" ``` -- https://bugs.ruby-lang.org/