Merge pull request #13096 from ne20002/heikosblog.eu

Added host check on xrd request
This commit is contained in:
Hypolite Petovan 2023-05-06 17:03:02 -04:00 committed by GitHub
commit 8585a94f90
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -65,13 +65,19 @@ class Xrd extends BaseModule
if (substr($uri, 0, 4) === 'http') { if (substr($uri, 0, 4) === 'http') {
$name = ltrim(basename($uri), '~'); $name = ltrim(basename($uri), '~');
$host = parse_url($uri, PHP_URL_HOST);
} else { } else {
$local = str_replace('acct:', '', $uri); $local = str_replace('acct:', '', $uri);
if (substr($local, 0, 2) == '//') { if (substr($local, 0, 2) == '//') {
$local = substr($local, 2); $local = substr($local, 2);
} }
$name = substr($local, 0, strpos($local, '@')); list($name, $host) = explode('@', $local);
}
if (!empty($host) && $host !== DI::baseUrl()->getHost()) {
DI::logger()->notice('Invalid host name for xrd query',['host' => $host, 'uri' => $uri]);
throw new NotFoundException('Invalid host name for xrd query: ' . $host);
} }
if ($name == User::getActorName()) { if ($name == User::getActorName()) {