Fix merger of URI with authority component

https://hackerone.com/reports/2957667

Co-authored-by: Nobuyoshi Nakada <[email protected]>

Author: hsbt

lib/uri/generic.rb

@@ -1133,21 +1133,16 @@ def merge(oth)
       base.fragment=(nil)
 
       # RFC2396, Section 5.2, 4)
-      if !authority
-        base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path
-      else
-        # RFC2396, Section 5.2, 4)
-        base.set_path(rel.path) if rel.path
+      if authority
+        base.set_userinfo(rel.userinfo)
+        base.set_host(rel.host)
+        base.set_port(rel.port || base.default_port)
+        base.set_path(rel.path)
+      elsif base.path && rel.path
+        base.set_path(merge_path(base.path, rel.path))
       end
 
       # RFC2396, Section 5.2, 7)
-      if rel.userinfo
-        base.set_userinfo(rel.userinfo)
-      else
-        base.set_userinfo(nil)
-      end
-      base.set_host(rel.host)         if rel.host
-      base.set_port(rel.port)         if rel.port
       base.query = rel.query       if rel.query
       base.fragment=(rel.fragment) if rel.fragment
 

test/uri/test_generic.rb

@@ -278,6 +278,13 @@ def test_merge
     assert_equal(u0, u1)
   end
 
+  def test_merge_authority
+    u = URI.parse('http://user:[email protected]:8080')
+    u0 = URI.parse('http://new.example.org/path')
+    u1 = u.merge('//new.example.org/path')
+    assert_equal(u0, u1)
+  end
+
   def test_route
     url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html')
     assert_equal('b.html', url.to_s)