summaryrefslogtreecommitdiff
path: root/internal/transport/finger.go
diff options
context:
space:
mode:
Diffstat (limited to 'internal/transport/finger.go')
-rw-r--r--internal/transport/finger.go14
1 files changed, 14 insertions, 0 deletions
diff --git a/internal/transport/finger.go b/internal/transport/finger.go
index 385af5e1c..9bcb0fa7e 100644
--- a/internal/transport/finger.go
+++ b/internal/transport/finger.go
@@ -98,9 +98,17 @@ func (t *transport) Finger(ctx context.Context, targetUsername string, targetDom
// again here to renew the TTL
t.controller.state.Caches.GTS.Webfinger.Set(targetDomain, url)
}
+
if rsp.StatusCode == http.StatusGone {
return nil, fmt.Errorf("account has been deleted/is gone")
}
+
+ // Ensure that the incoming request content-type is expected.
+ if ct := rsp.Header.Get("Content-Type"); !apiutil.JSONJRDContentType(ct) {
+ err := gtserror.Newf("non webfinger type response: %s", ct)
+ return nil, gtserror.SetMalformed(err)
+ }
+
return io.ReadAll(rsp.Body)
}
@@ -193,6 +201,12 @@ func (t *transport) webfingerFromHostMeta(ctx context.Context, targetDomain stri
return "", fmt.Errorf("GET request for %s failed: %s", req.URL.String(), rsp.Status)
}
+ // Ensure that the incoming request content-type is expected.
+ if ct := rsp.Header.Get("Content-Type"); !apiutil.XMLXRDContentType(ct) {
+ err := gtserror.Newf("non host-meta type response: %s", ct)
+ return "", gtserror.SetMalformed(err)
+ }
+
e := xml.NewDecoder(rsp.Body)
var hm apimodel.HostMeta
if err := e.Decode(&hm); err != nil {
generated by cgit v1.2.3 (git 2.46.0) at 2025-07-25 10:25:31 +0000