if (substr($uri, 0, 4) === 'http') {
$name = ltrim(basename($uri), '~');
+ $host = parse_url($uri, PHP_URL_HOST);
} else {
$local = str_replace('acct:', '', $uri);
if (substr($local, 0, 2) == '//') {
$local = substr($local, 2);
}
- $name = substr($local, 0, strpos($local, '@'));
+ list($name, $host) = explode('@', $local);
}
+ if (!empty($host) && $host !== DI::baseUrl()->getHost()) {
+ DI::logger()->notice('Invalid host name for xrd query',['host' => $host, 'uri' => $uri]);
+ throw new NotFoundException('Invalid host name for xrd query: ' . $host);
+ }
+
+ header('Vary: Accept', false);
+
if ($name == User::getActorName()) {
$owner = User::getSystemAccount();
if (empty($owner)) {
private function printSystemJSON(array $owner)
{
- $baseURL = $this->baseUrl;
+ $baseURL = (string)$this->baseUrl;
$json = [
'subject' => 'acct:' . $owner['addr'],
'aliases' => [$owner['url']],
private function printJSON(string $alias, array $owner, array $avatar)
{
- $baseURL = $this->baseUrl;
+ $baseURL = (string)$this->baseUrl;
$json = [
'subject' => 'acct:' . $owner['addr'],
private function printXML(string $alias, array $owner, array $avatar)
{
- $baseURL = $this->baseUrl;
+ $baseURL = (string)$this->baseUrl;
$xmlString = XML::fromArray([
'XRD' => [
]);
header('Access-Control-Allow-Origin: *');
-
System::httpExit($xmlString, Response::TYPE_XML, 'application/xrd+xml');
}
}