Normalize URL paths in redirect handling: resolve . and .. segments in relative and absolute paths

Grotax · Grotax · commit abf5dc4c2a8b · 2025-11-10T11:49:34.000+01:00
diff --git a/src/FeedIo/Adapter/Http/Client.php b/src/FeedIo/Adapter/Http/Client.php
@@ -171,22 +171,73 @@ protected function resolveRedirectUrl(string $currentUrl, string $location): str
 
         $scheme = $parts['scheme'] ?? 'http';
         $host = $parts['host'] ?? '';
+        $port = isset($parts['port']) ? ':' . $parts['port'] : '';
 
         // Handle absolute path (starts with /)
         if (str_starts_with($location, '/')) {
-            $port = isset($parts['port']) ? ':' . $parts['port'] : '';
-            return "{$scheme}://{$host}{$port}{$location}";
+            $normalizedPath = $this->normalizePath($location);
+            return "{$scheme}://{$host}{$port}{$normalizedPath}";
         }
 
         // Handle relative path
-        $path = $parts['path'] ?? '/';
-        $basePath = dirname($path);
+        $currentPath = $parts['path'] ?? '/';
+        $basePath = dirname($currentPath);
         if ($basePath === '.') {
             $basePath = '/';
         }
 
-        $port = isset($parts['port']) ? ':' . $parts['port'] : '';
+        // Combine base path with relative location
         $separator = str_ends_with($basePath, '/') ? '' : '/';
-        return "{$scheme}://{$host}{$port}{$basePath}{$separator}{$location}";
+        $combinedPath = "{$basePath}{$separator}{$location}";
+        
+        // Normalize the path to resolve . and .. segments
+        $normalizedPath = $this->normalizePath($combinedPath);
+
+        return "{$scheme}://{$host}{$port}{$normalizedPath}";
+    }
+
+    /**
+     * Normalize a URL path by resolving . and .. segments
+     *
+     * @param string $path
+     * @return string
+     */
+    protected function normalizePath(string $path): string
+    {
+        // Split path into segments
+        $segments = explode('/', $path);
+        $normalized = [];
+
+        foreach ($segments as $segment) {
+            if ($segment === '' || $segment === '.') {
+                // Skip empty segments and current directory references
+                if ($segment === '' && empty($normalized)) {
+                    // Keep leading slash
+                    $normalized[] = '';
+                }
+                continue;
+            } elseif ($segment === '..') {
+                // Go up one directory
+                if (!empty($normalized) && end($normalized) !== '' && end($normalized) !== '..') {
+                    array_pop($normalized);
+                } elseif (empty($normalized) || end($normalized) === '..') {
+                    // Can't go above root or if we're already tracking ..
+                    $normalized[] = '..';
+                }
+            } else {
+                $normalized[] = $segment;
+            }
+        }
+
+        // Reconstruct path
+        $result = implode('/', $normalized);
+        
+        // Ensure absolute paths start with /
+        if (str_starts_with($path, '/') && !str_starts_with($result, '/')) {
+            $result = '/' . $result;
+        }
+
+        return $result ?: '/';
     }
 }
+
diff --git a/tests/FeedIo/Adapter/Http/ClientTest.php b/tests/FeedIo/Adapter/Http/ClientTest.php
@@ -305,4 +305,90 @@ public function testAllowsHttpAndHttpsRedirects(): void
 
         $this->assertEquals(200, $response->getStatusCode());
     }
+
+    public function testNormalizesRelativePathWithDotDotSegments(): void
+    {
+        // Current URL: https://example.com/path/to/feed.xml
+        // Redirect to: ../newpath/feed.xml
+        // Should resolve to: https://example.com/path/newpath/feed.xml
+        
+        $redirectResponse = new PsrResponse(301, ['Location' => '../newpath/feed.xml']);
+        $finalResponse = new PsrResponse(200, [], 'content');
+
+        $requestCount = 0;
+        $this->psrClient
+            ->expects($this->exactly(2))
+            ->method('sendRequest')
+            ->willReturnCallback(function (RequestInterface $request) use ($redirectResponse, $finalResponse, &$requestCount) {
+                $requestCount++;
+                
+                if ($requestCount === 1) {
+                    $this->assertEquals('https://example.com/path/to/feed.xml', (string) $request->getUri());
+                    return $redirectResponse;
+                }
+                
+                // Verify the path was properly normalized
+                $this->assertEquals('https://example.com/path/newpath/feed.xml', (string) $request->getUri());
+                return $finalResponse;
+            });
+
+        $response = $this->client->getResponse('https://example.com/path/to/feed.xml');
+        $this->assertEquals(200, $response->getStatusCode());
+    }
+
+    public function testNormalizesAbsolutePathWithDotDotSegments(): void
+    {
+        // Redirect to: /path/../other/feed.xml
+        // Should resolve to: /other/feed.xml
+        
+        $redirectResponse = new PsrResponse(301, ['Location' => '/path/../other/feed.xml']);
+        $finalResponse = new PsrResponse(200, [], 'content');
+
+        $requestCount = 0;
+        $this->psrClient
+            ->expects($this->exactly(2))
+            ->method('sendRequest')
+            ->willReturnCallback(function (RequestInterface $request) use ($redirectResponse, $finalResponse, &$requestCount) {
+                $requestCount++;
+                
+                if ($requestCount === 1) {
+                    return $redirectResponse;
+                }
+                
+                // Verify the path was properly normalized
+                $this->assertEquals('https://example.com/other/feed.xml', (string) $request->getUri());
+                return $finalResponse;
+            });
+
+        $response = $this->client->getResponse('https://example.com/some/path.xml');
+        $this->assertEquals(200, $response->getStatusCode());
+    }
+
+    public function testNormalizesPathWithDotSegments(): void
+    {
+        // Redirect to: /path/./to/./feed.xml
+        // Should resolve to: /path/to/feed.xml
+        
+        $redirectResponse = new PsrResponse(301, ['Location' => '/path/./to/./feed.xml']);
+        $finalResponse = new PsrResponse(200, [], 'content');
+
+        $requestCount = 0;
+        $this->psrClient
+            ->expects($this->exactly(2))
+            ->method('sendRequest')
+            ->willReturnCallback(function (RequestInterface $request) use ($redirectResponse, $finalResponse, &$requestCount) {
+                $requestCount++;
+                
+                if ($requestCount === 1) {
+                    return $redirectResponse;
+                }
+                
+                // Verify the path was properly normalized
+                $this->assertEquals('https://example.com/path/to/feed.xml', (string) $request->getUri());
+                return $finalResponse;
+            });
+
+        $response = $this->client->getResponse('https://example.com/old.xml');
+        $this->assertEquals(200, $response->getStatusCode());
+    }
 }
