enhancement: s3 dot segment handling (#2853)

aws · Dec 8, 2023 · ced944b · ced944b
1 parent 1e01734
commit ced944b
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 8 deletions.
diff --git a/src/Api/Serializer/RestSerializer.php b/src/Api/Serializer/RestSerializer.php
@@ -236,11 +236,14 @@ function (array $matches) use ($varDefinitions) {
             }
             $relative = $path . $relative;
 
-            if (strpos($relative, '../') !== false) {
+            if (strpos($relative, '../') !== false
+                || substr($relative, -2) === '..'
+            ) {
                 if ($relative[0] !== '/') {
                     $relative = '/' . $relative;
                 }
-                return new Uri($this->endpoint . $relative);
+
+                return new Uri($this->endpoint->withPath('') . $relative);
             }
         }
         // If endpoint has path, remove leading '/' to preserve URI resolution.

diff --git a/tests/S3/S3ClientTest.php b/tests/S3/S3ClientTest.php
@@ -2444,7 +2444,8 @@ public function dotSegmentProvider()
             ['../foo' , 'https://foo.s3.amazonaws.com/../foo'],
             ['bar/../../foo', 'https://foo.s3.amazonaws.com/bar/../../foo'],
             ['/../foo', 'https://foo.s3.amazonaws.com//../foo'],
-            ['foo/bar/../baz', 'https://foo.s3.amazonaws.com/foo/bar/../baz']
+            ['foo/bar/../baz', 'https://foo.s3.amazonaws.com/foo/bar/../baz'],
+            ['foo/bar/baz/..', 'https://foo.s3.amazonaws.com/foo/bar/baz/..']
         ];
     }
 
@@ -2455,7 +2456,7 @@ public function testHandlesDotSegmentsInKeyWithPathStyle($key, $expectedUri)
     {
         $s3 = $this->getTestClient('s3', ['use_path_style_endpoint' => true]);
         $this->addMockResults($s3, [[]]);
-        $command = $s3->getCommand('getObject', ['Bucket' => 'foo', 'Key' => $key]);
+        $command = $s3->getCommand('getObject', ['Bucket' => 'bucket', 'Key' => $key]);
         $command->getHandlerList()->appendSign(
             Middleware::tap(function ($cmd, $req) use ($expectedUri) {
                 $this->assertSame($expectedUri, (string) $req->getUri());
@@ -2467,10 +2468,11 @@ public function testHandlesDotSegmentsInKeyWithPathStyle($key, $expectedUri)
     public function dotSegmentPathStyleProvider()
     {
         return [
-            ['../foo' , 'https://s3.amazonaws.com/foo/foo/../foo'],
-            ['bar/../../foo', 'https://s3.amazonaws.com/foo/foo/bar/../../foo'],
-            ['/../foo', 'https://s3.amazonaws.com/foo/foo//../foo'],
-            ['foo/bar/../baz', 'https://s3.amazonaws.com/foo/foo/foo/bar/../baz'],
+            ['../foo' , 'https://s3.amazonaws.com/bucket/../foo'],
+            ['bar/../../foo', 'https://s3.amazonaws.com/bucket/bar/../../foo'],
+            ['/../foo', 'https://s3.amazonaws.com/bucket//../foo'],
+            ['foo/bar/../baz', 'https://s3.amazonaws.com/bucket/foo/bar/../baz'],
+            ['foo/bar/baz/..', 'https://s3.amazonaws.com/bucket/foo/bar/baz/..']
         ];
     }