Added host check on xrd request

2023-05-06 17:57:12 +02:00 · 2023-05-06 17:57:12 +02:00 · d50b9612a0
parent d196fbbd54
commit d50b9612a0
1 changed files with 7 additions and 1 deletions
--- a/src/Module/Xrd.php
+++ b/src/Module/Xrd.php
@ -65,13 +65,19 @@ class Xrd extends BaseModule

 		if (substr($uri, 0, 4) === 'http') {
 			$name = ltrim(basename($uri), '~');
+			$host = parse_url($uri, PHP_URL_HOST);
 		} else {
 			$local = str_replace('acct:', '', $uri);
 			if (substr($local, 0, 2) == '//') {
 				$local = substr($local, 2);
 			}

-			$name = substr($local, 0, strpos($local, '@'));
+			list($name, $host) = explode('@', $local);
+		}
+
+		if (!empty($host) && $host !== DI::baseUrl()->getHost()) {
+			DI::logger()->notice('Invalid host name for xrd query',['host' => $host, 'uri' => $uri]);
+			throw new NotFoundException('Invalid host name for xrd query: ' . $host);
 		}

 		if ($name == User::getActorName()) {