From d50b9612a020aee1f1c47552b93f8f75be62dc84 Mon Sep 17 00:00:00 2001 From: "S. Brusch" Date: Sat, 6 May 2023 17:57:12 +0200 Subject: [PATCH] Added host check on xrd request --- src/Module/Xrd.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/Module/Xrd.php b/src/Module/Xrd.php index 21cff56346..6a4c0e860d 100644 --- a/src/Module/Xrd.php +++ b/src/Module/Xrd.php @@ -65,13 +65,19 @@ class Xrd extends BaseModule if (substr($uri, 0, 4) === 'http') { $name = ltrim(basename($uri), '~'); + $host = parse_url($uri, PHP_URL_HOST); } else { $local = str_replace('acct:', '', $uri); if (substr($local, 0, 2) == '//') { $local = substr($local, 2); } - $name = substr($local, 0, strpos($local, '@')); + list($name, $host) = explode('@', $local); + } + + if (!empty($host) && $host !== DI::baseUrl()->getHost()) { + DI::logger()->notice('Invalid host name for xrd query',['host' => $host, 'uri' => $uri]); + throw new NotFoundException('Invalid host name for xrd query: ' . $host); } if ($name == User::getActorName()) { -- 2.39.5