diff options
| author |  kim <89579420+NyaaaWhatsUpDoc@users.noreply.github.com> | 2024-02-14 11:13:38 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2024-02-14 12:13:38 +0100 |
| commit | 2bafd7daf542d985ee76d9079a30a602cb7be827 (patch) | |
| tree | 8817fe6f202155d660d75c17cd78ff5dae3d4530 /internal/federation/dereferencing/finger.go | |
| parent | [feature] Add metrics for instance user count, statuses count and federating ... (diff) | |
| download | gotosocial-2bafd7daf542d985ee76d9079a30a602cb7be827.tar.xz | |
[bugfix] add stricter checks during all stages of dereferencing remote AS objects (#2639)
* add stricter checks during all stages of dereferencing remote AS objects
* a comment
Diffstat (limited to 'internal/federation/dereferencing/finger.go')
| -rw-r--r-- | internal/federation/dereferencing/finger.go | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/internal/federation/dereferencing/finger.go b/internal/federation/dereferencing/finger.go index 514a058ba..1b3e915ba 100644 --- a/internal/federation/dereferencing/finger.go +++ b/internal/federation/dereferencing/finger.go @@ -21,9 +21,9 @@ import ( "context" "encoding/json" "net/url" - "strings" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" + apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/log" "github.com/superseriousbusiness/gotosocial/internal/transport" @@ -74,10 +74,12 @@ func (d *Dereferencer) fingerRemoteAccount( return "", nil, err } - _, accountDomain, err := util.ExtractWebfingerParts(resp.Subject) + accUsername, accDomain, err := util.ExtractWebfingerParts(resp.Subject) if err != nil { err = gtserror.Newf("error extracting subject parts for %s: %w", target, err) return "", nil, err + } else if accUsername != username { + return "", nil, gtserror.Newf("response username does not match input for %s: %w", target, err) } // Look through links for the first @@ -92,8 +94,7 @@ func (d *Dereferencer) fingerRemoteAccount( continue } - if !strings.EqualFold(link.Type, "application/activity+json") && - !strings.EqualFold(link.Type, "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") { + if !apiutil.ASContentType(link.Type) { // Not an AP type, ignore. continue } @@ -121,7 +122,7 @@ func (d *Dereferencer) fingerRemoteAccount( } // All looks good, return happily! - return accountDomain, uri, nil + return accDomain, uri, nil } return "", nil, gtserror.Newf("no suitable self, AP-type link found in webfinger response for %s", target) |