Added host check on xrd request

[friendica.git] / src / Module / Xrd.php

diff --git a/src/Module/Xrd.php b/src/Module/Xrd.php
index 21cff563468d5496f825b7adbf46d7080dac5786..6a4c0e860d31be4c12b07e005074a705d3647ba8 100644 (file)
--- a/src/Module/Xrd.php
+++ b/src/Module/Xrd.php
@@ -65,13 +65,19 @@ class Xrd extends BaseModule
 
                if (substr($uri, 0, 4) === 'http') {
                        $name = ltrim(basename($uri), '~');
+                       $host = parse_url($uri, PHP_URL_HOST);
                } else {
                        $local = str_replace('acct:', '', $uri);
                        if (substr($local, 0, 2) == '//') {
                                $local = substr($local, 2);
                        }
 
-                       $name = substr($local, 0, strpos($local, '@'));
+                       list($name, $host) = explode('@', $local);
+               }
+
+               if (!empty($host) && $host !== DI::baseUrl()->getHost()) {
+                       DI::logger()->notice('Invalid host name for xrd query',['host' => $host, 'uri' => $uri]);
+                       throw new NotFoundException('Invalid host name for xrd query: ' . $host);
                }
 
                if ($name == User::getActorName()) {