fix(url): disallowed wonky path (#4386)

3 files changed, 10 insertions, 3 deletions

diff --git a/bridges/RumbleBridge.php b/bridges/RumbleBridge.php
index 11755b51..c1a565bb 100644
--- a/bridges/RumbleBridge.php
+++ b/bridges/RumbleBridge.php
@@ -74,9 +74,7 @@ class RumbleBridge extends BridgeAbstract
                 $item['timestamp'] = $publishedAt->getTimestamp();
             }
 
-            if (isset($publishedAt) && $publishedAt > new \DateTimeImmutable('2025-01-31')) {
-                $href = ltrim($href, '/');
-            }
+            $href = ltrim($href, '/');
             $itemUrl = Url::fromString(self::URI . $href);
             // Remove tracking parameter in query string
             $item['uri'] = $itemUrl->withQueryString(null)->__toString();
diff --git a/lib/url.php b/lib/url.php
index 993fef96..9a1b59ad 100644
--- a/lib/url.php
+++ b/lib/url.php
@@ -111,6 +111,9 @@ final class Url
         if (!str_starts_with($path, '/')) {
             throw new UrlException(sprintf('Path must start with forward slash: %s', $path));
         }
+        if (str_starts_with($path, '//')) {
+            throw new UrlException(sprintf('Illegal path (too many forward slashes): %s', $path));
+        }
         $clone = clone $this;
         $clone->path = $path;
         return $clone;
diff --git a/tests/UrlTest.php b/tests/UrlTest.php
index d45f319b..72b9ac4c 100644
--- a/tests/UrlTest.php
+++ b/tests/UrlTest.php
@@ -36,6 +36,12 @@ class UrlTest extends TestCase
         }
     }
 
+    public function testIllegalPath()
+    {
+        $this->expectException(\UrlException::class);
+        Url::fromString('https://example.com//foo');
+    }
+
     public function testMutation()
     {
         $this->assertSame('http://example.com/foo', (Url::fromString('http://example.com/'))->withPath('/foo')->__toString());