Work around parse_url() bug (bis)

nicolas-grekas · nicolas-grekas · commit c83c46a2ab06 · 2024-11-13T15:36:38.000+01:00
diff --git a/CurlHttpClient.php b/CurlHttpClient.php
@@ -421,8 +421,9 @@ private static function createRedirectResolver(array $options, string $host): \C
             }
         }
 
-        return static function ($ch, string $location, bool $noContent) use (&$redirectHeaders, $options) {
+        return static function ($ch, string $location, bool $noContent, bool &$locationHasHost) use (&$redirectHeaders, $options) {
             try {
+                $locationHasHost = false;
                 $location = self::parseUrl($location);
             } catch (InvalidArgumentException $e) {
                 return null;
@@ -436,8 +437,10 @@ private static function createRedirectResolver(array $options, string $host): \C
                 $redirectHeaders['with_auth'] = array_filter($redirectHeaders['with_auth'], $filterContentHeaders);
             }
 
-            if ($redirectHeaders && $host = parse_url('http:'.$location['authority'], \PHP_URL_HOST)) {
-                $requestHeaders = $redirectHeaders['host'] === $host ? $redirectHeaders['with_auth'] : $redirectHeaders['no_auth'];
+            $locationHasHost = isset($location['authority']);
+
+            if ($redirectHeaders && $locationHasHost) {
+                $requestHeaders = parse_url($location['authority'], \PHP_URL_HOST) === $redirectHeaders['host'] ? $redirectHeaders['with_auth'] : $redirectHeaders['no_auth'];
                 curl_setopt($ch, \CURLOPT_HTTPHEADER, $requestHeaders);
             } elseif ($noContent && $redirectHeaders) {
                 curl_setopt($ch, \CURLOPT_HTTPHEADER, $redirectHeaders['with_auth']);
diff --git a/HttpClientTrait.php b/HttpClientTrait.php
@@ -514,29 +514,37 @@ private static function resolveUrl(array $url, ?array $base, array $queryDefault
      */
     private static function parseUrl(string $url, array $query = [], array $allowedSchemes = ['http' => 80, 'https' => 443]): array
     {
-        if (false === $parts = parse_url($url)) {
-            if ('/' !== ($url[0] ?? '') || false === $parts = parse_url($url.'#')) {
-                throw new InvalidArgumentException(sprintf('Malformed URL "%s".', $url));
-            }
-            unset($parts['fragment']);
+        $tail = '';
+
+        if (false === $parts = parse_url(\strlen($url) !== strcspn($url, '?#') ? $url : $url.$tail = '#')) {
+            throw new InvalidArgumentException(sprintf('Malformed URL "%s".', $url));
         }
 
         if ($query) {
             $parts['query'] = self::mergeQueryString($parts['query'] ?? null, $query, true);
         }
 
+        $scheme = $parts['scheme'] ?? null;
+        $host = $parts['host'] ?? null;
+
+        if (!$scheme && $host && !str_starts_with($url, '//')) {
+            $parts = parse_url(':/'.$url.$tail);
+            $parts['path'] = substr($parts['path'], 2);
+            $scheme = $host = null;
+        }
+
         $port = $parts['port'] ?? 0;
 
-        if (null !== $scheme = $parts['scheme'] ?? null) {
+        if (null !== $scheme) {
             if (!isset($allowedSchemes[$scheme = strtolower($scheme)])) {
-                throw new InvalidArgumentException(sprintf('Unsupported scheme in "%s".', $url));
+                throw new InvalidArgumentException(sprintf('Unsupported scheme in "%s": "%s" expected.', $url, implode('" or "', array_keys($allowedSchemes))));
             }
 
             $port = $allowedSchemes[$scheme] === $port ? 0 : $port;
             $scheme .= ':';
         }
 
-        if (null !== $host = $parts['host'] ?? null) {
+        if (null !== $host) {
             if (!\defined('INTL_IDNA_VARIANT_UTS46') && preg_match('/[\x80-\xFF]/', $host)) {
                 throw new InvalidArgumentException(sprintf('Unsupported IDN "%s", try enabling the "intl" PHP extension or running "composer require symfony/polyfill-intl-idn".', $host));
             }
@@ -564,7 +572,7 @@ private static function parseUrl(string $url, array $query = [], array $allowedS
             'authority' => null !== $host ? '//'.(isset($parts['user']) ? $parts['user'].(isset($parts['pass']) ? ':'.$parts['pass'] : '').'@' : '').$host : null,
             'path' => isset($parts['path'][0]) ? $parts['path'] : null,
             'query' => isset($parts['query']) ? '?'.$parts['query'] : null,
-            'fragment' => isset($parts['fragment']) ? '#'.$parts['fragment'] : null,
+            'fragment' => isset($parts['fragment']) && !$tail ? '#'.$parts['fragment'] : null,
         ];
     }
 
diff --git a/NativeHttpClient.php b/NativeHttpClient.php
@@ -389,6 +389,7 @@ private static function createRedirectResolver(array $options, string $host, ?ar
                 return null;
             }
 
+            $locationHasHost = isset($url['authority']);
             $url = self::resolveUrl($url, $info['url']);
             $info['redirect_url'] = implode('', $url);
 
@@ -424,7 +425,7 @@ private static function createRedirectResolver(array $options, string $host, ?ar
 
             [$host, $port] = self::parseHostPort($url, $info);
 
-            if (false !== (parse_url($location.'#', \PHP_URL_HOST) ?? false)) {
+            if ($locationHasHost) {
                 // Authorization and Cookie headers MUST NOT follow except for the initial host name
                 $requestHeaders = $redirectHeaders['host'] === $host ? $redirectHeaders['with_auth'] : $redirectHeaders['no_auth'];
                 $requestHeaders[] = 'Host: '.$host.$port;
diff --git a/Response/CurlResponse.php b/Response/CurlResponse.php
@@ -436,17 +436,18 @@ private static function parseHeaderLine($ch, string $data, array &$info, array &
                 $info['http_method'] = 'HEAD' === $info['http_method'] ? 'HEAD' : 'GET';
                 curl_setopt($ch, \CURLOPT_CUSTOMREQUEST, $info['http_method']);
             }
+            $locationHasHost = false;
 
-            if (null === $info['redirect_url'] = $resolveRedirect($ch, $location, $noContent)) {
+            if (null === $info['redirect_url'] = $resolveRedirect($ch, $location, $noContent, $locationHasHost)) {
                 $options['max_redirects'] = curl_getinfo($ch, \CURLINFO_REDIRECT_COUNT);
                 curl_setopt($ch, \CURLOPT_FOLLOWLOCATION, false);
                 curl_setopt($ch, \CURLOPT_MAXREDIRS, $options['max_redirects']);
-            } else {
-                $url = parse_url($location ?? ':');
+            } elseif ($locationHasHost) {
+                $url = parse_url($info['redirect_url']);
 
-                if (isset($url['host']) && null !== $ip = $multi->dnsCache->hostnames[$url['host'] = strtolower($url['host'])] ?? null) {
+                if (null !== $ip = $multi->dnsCache->hostnames[$url['host'] = strtolower($url['host'])] ?? null) {
                     // Populate DNS cache for redirects if needed
-                    $port = $url['port'] ?? ('http' === ($url['scheme'] ?? parse_url(curl_getinfo($ch, \CURLINFO_EFFECTIVE_URL), \PHP_URL_SCHEME)) ? 80 : 443);
+                    $port = $url['port'] ?? ('http' === $url['scheme'] ? 80 : 443);
                     curl_setopt($ch, \CURLOPT_RESOLVE, ["{$url['host']}:$port:$ip"]);
                     $multi->dnsCache->removals["-{$url['host']}:$port"] = "-{$url['host']}:$port";
                 }
diff --git a/Tests/HttpClientTestCase.php b/Tests/HttpClientTestCase.php
@@ -489,4 +489,13 @@ public function testNoPrivateNetworkWithResolve()
 
         $client->request('GET', 'http://symfony.com', ['resolve' => ['symfony.com' => '127.0.0.1']]);
     }
+
+    public function testNoRedirectWithInvalidLocation()
+    {
+        $client = $this->getHttpClient(__FUNCTION__);
+
+        $response = $client->request('GET', 'http://localhost:8057/302-no-scheme');
+
+        $this->assertSame(302, $response->getStatusCode());
+    }
 }
diff --git a/Tests/HttpClientTraitTest.php b/Tests/HttpClientTraitTest.php
@@ -102,6 +102,7 @@ public static function provideResolveUrl(): array
             [self::RFC3986_BASE, 'g/../h',        'http://a/b/c/h'],
             [self::RFC3986_BASE, 'g;x=1/./y',     'http://a/b/c/g;x=1/y'],
             [self::RFC3986_BASE, 'g;x=1/../y',    'http://a/b/c/y'],
+            [self::RFC3986_BASE, 'g/h:123/i',     'http://a/b/c/g/h:123/i'],
             // dot-segments in the query or fragment
             [self::RFC3986_BASE, 'g?y/./x',       'http://a/b/c/g?y/./x'],
             [self::RFC3986_BASE, 'g?y/../x',      'http://a/b/c/g?y/../x'],
@@ -127,14 +128,14 @@ public static function provideResolveUrl(): array
     public function testResolveUrlWithoutScheme()
     {
         $this->expectException(InvalidArgumentException::class);
-        $this->expectExceptionMessage('Invalid URL: scheme is missing in "//localhost:8080". Did you forget to add "http(s)://"?');
+        $this->expectExceptionMessage('Unsupported scheme in "localhost:8080": "http" or "https" expected.');
         self::resolveUrl(self::parseUrl('localhost:8080'), null);
     }
 
-    public function testResolveBaseUrlWitoutScheme()
+    public function testResolveBaseUrlWithoutScheme()
     {
         $this->expectException(InvalidArgumentException::class);
-        $this->expectExceptionMessage('Invalid URL: scheme is missing in "//localhost:8081". Did you forget to add "http(s)://"?');
+        $this->expectExceptionMessage('Unsupported scheme in "localhost:8081": "http" or "https" expected.');
         self::resolveUrl(self::parseUrl('/foo'), self::parseUrl('localhost:8081'));
     }
 
diff --git a/composer.json b/composer.json
@@ -25,7 +25,7 @@
         "php": ">=7.2.5",
         "psr/log": "^1|^2|^3",
         "symfony/deprecation-contracts": "^2.1|^3",
-        "symfony/http-client-contracts": "^2.5.3",
+        "symfony/http-client-contracts": "^2.5.4",
         "symfony/polyfill-php73": "^1.11",
         "symfony/polyfill-php80": "^1.16",
         "symfony/service-contracts": "^1.0|^2|^3"

Original file line number	Diff line number	Diff line change
`@@ -489,4 +489,13 @@ public function testNoPrivateNetworkWithResolve()`
`489`	`489`
`490`	`490`	`$client->request('GET', 'http://symfony.com', ['resolve' => ['symfony.com' => '127.0.0.1']]);`
`491`	`491`	`}`
	`492`	`+`
	`493`	`+ public function testNoRedirectWithInvalidLocation()`
	`494`	`+ {`
	`495`	`+ $client = $this->getHttpClient(__FUNCTION__);`
	`496`	`+`
	`497`	`+ $response = $client->request('GET', 'http://localhost:8057/302-no-scheme');`
	`498`	`+`
	`499`	`+ $this->assertSame(302, $response->getStatusCode());`
	`500`	`+ }`
`492`	`501`	`}`
Original file line number	Diff line number	Diff line change
`@@ -102,6 +102,7 @@ public static function provideResolveUrl(): array`
`102`	`102`	`[self::RFC3986_BASE, 'g/../h', 'http://a/b/c/h'],`
`103`	`103`	`[self::RFC3986_BASE, 'g;x=1/./y', 'http://a/b/c/g;x=1/y'],`
`104`	`104`	`[self::RFC3986_BASE, 'g;x=1/../y', 'http://a/b/c/y'],`
	`105`	`+ [self::RFC3986_BASE, 'g/h:123/i', 'http://a/b/c/g/h:123/i'],`
`105`	`106`	`// dot-segments in the query or fragment`
`106`	`107`	`[self::RFC3986_BASE, 'g?y/./x', 'http://a/b/c/g?y/./x'],`
`107`	`108`	`[self::RFC3986_BASE, 'g?y/../x', 'http://a/b/c/g?y/../x'],`
`@@ -127,14 +128,14 @@ public static function provideResolveUrl(): array`
`127`	`128`	`public function testResolveUrlWithoutScheme()`
`128`	`129`	`{`
`129`	`130`	`$this->expectException(InvalidArgumentException::class);`
`130`		`- $this->expectExceptionMessage('Invalid URL: scheme is missing in "//localhost:8080". Did you forget to add "http(s)://"?');`
	`131`	`+ $this->expectExceptionMessage('Unsupported scheme in "localhost:8080": "http" or "https" expected.');`
`131`	`132`	`self::resolveUrl(self::parseUrl('localhost:8080'), null);`
`132`	`133`	`}`
`133`	`134`
`134`		`- public function testResolveBaseUrlWitoutScheme()`
	`135`	`+ public function testResolveBaseUrlWithoutScheme()`
`135`	`136`	`{`
`136`	`137`	`$this->expectException(InvalidArgumentException::class);`
`137`		`- $this->expectExceptionMessage('Invalid URL: scheme is missing in "//localhost:8081". Did you forget to add "http(s)://"?');`
	`138`	`+ $this->expectExceptionMessage('Unsupported scheme in "localhost:8081": "http" or "https" expected.');`
`138`	`139`	`self::resolveUrl(self::parseUrl('/foo'), self::parseUrl('localhost:8081'));`
`139`	`140`	`}`
`140`	`141`