From 1701156a18f8003c6ce012a2598fd7d1dd183ac2 Mon Sep 17 00:00:00 2001 From: Matthew Exon Date: Mon, 8 Jul 2024 19:23:20 +0200 Subject: [PATCH 1/2] Return 400 error code on malformed request. Fixes #14281 --- src/Module/Xrd.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/Module/Xrd.php b/src/Module/Xrd.php index e39b5d3af6..1e247341a2 100644 --- a/src/Module/Xrd.php +++ b/src/Module/Xrd.php @@ -26,6 +26,7 @@ use Friendica\Core\System; use Friendica\DI; use Friendica\Model\Photo; use Friendica\Model\User; +use Friendica\Network\HTTPException\BadRequestException; use Friendica\Network\HTTPException\NotFoundException; use Friendica\Protocol\ActivityNamespace; use Friendica\Protocol\Salmon; @@ -68,13 +69,15 @@ class Xrd extends BaseModule if (substr($uri, 0, 4) === 'http') { $name = ltrim(basename($uri), '~'); $host = parse_url($uri, PHP_URL_HOST); - } else { + } else if (substr($uri, 0, 4) === 'acct') { $local = str_replace('acct:', '', $uri); if (substr($local, 0, 2) == '//') { $local = substr($local, 2); } list($name, $host) = explode('@', $local); + } else { + throw new BadRequestException(); } if (!empty($host) && $host !== DI::baseUrl()->getHost()) { From 958d0ba554f006d6a97a359022940ae082f41d21 Mon Sep 17 00:00:00 2001 From: Matthew Exon Date: Mon, 8 Jul 2024 20:04:34 +0200 Subject: [PATCH 2/2] Match all schemes not just acct --- src/Module/Xrd.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Module/Xrd.php b/src/Module/Xrd.php index 1e247341a2..7a983538a1 100644 --- a/src/Module/Xrd.php +++ b/src/Module/Xrd.php @@ -69,7 +69,7 @@ class Xrd extends BaseModule if (substr($uri, 0, 4) === 'http') { $name = ltrim(basename($uri), '~'); $host = parse_url($uri, PHP_URL_HOST); - } else if (substr($uri, 0, 4) === 'acct') { + } else if (preg_match('/^[[:alpha:]][[:alnum:]+-.]+:/', $uri)) { $local = str_replace('acct:', '', $uri); if (substr($local, 0, 2) == '//') { $local = substr($local, 2);