fix: multiple slash in path detection

Per an [issue created for Diactoros](laminas/laminas-diactoros#74) its [related pull request](laminas/laminas-diactoros#77), and the discussion to that pull request, this patch does the following:

- It modifies `testPathWithMultipleSlashes()` to only validate that multiple slashes _not at the beginning_ of a path are retained intact.
- It adds `testProperlyTrimsLeadingSlashesToPreventXSS()`, which validates that when multiple leading slashes are present in a path, they are reduced to a single slash.

This approach is done to mitigate [ZF2015-05](https://framework.zend.com/security/advisory/ZF2015-05.html) which was also reported as [CVE-2015-3257](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3257).
While RFC 3986 allows for multiple slashes anywhere in the path, when security conflicts with a specification, security concerns win.
Without the mitigation, an implementation is vulnerable to XSS and open redirects if only the path portion of a URI is used within HTML content (common!) or within headers (also common).

Signed-off-by: Matthew Weier O'Phinney <[email protected]>

Author: weierophinney

src/UriIntegrationTest.php

@@ -238,6 +238,13 @@ public function testPathWithMultipleSlashes()
 
         $this->assertInstanceOf(UriInterface::class, $uri);
         $this->assertSame($expected, (string) $uri);
-        $this->assertSame('//valid///path', $uri->getPath());
+        $this->assertSame('/valid///path', $uri->getPath());
+    }
+
+    public function testProperlyTrimsLeadingSlashesToPreventXSS()
+    {
+        $url = 'http://example.org//zend.com';
+        $uri = $this->createUri($url);
+        $this->assertSame('http://example.org/zend.com', (string) $uri);
     }
 }