Fix handling of webfinger redirects in ResolveAccountService (#11279)

main
ThibG 2019-07-10 17:10:12 +02:00 committed by Eugen Rochko
parent 27ad4c1501
commit 85eb418e1f
1 changed files with 5 additions and 4 deletions

View File

@ -30,7 +30,7 @@ class ResolveAccountService < BaseService
# At this point we are in need of a Webfinger query, which may # At this point we are in need of a Webfinger query, which may
# yield us a different username/domain through a redirect # yield us a different username/domain through a redirect
process_webfinger! process_webfinger!(@uri)
# Because the username/domain pair may be different than what # Because the username/domain pair may be different than what
# we already checked, we need to check if we've already got # we already checked, we need to check if we've already got
@ -69,15 +69,16 @@ class ResolveAccountService < BaseService
@domain = nil if TagManager.instance.local_domain?(@domain) @domain = nil if TagManager.instance.local_domain?(@domain)
end end
def process_webfinger! def process_webfinger!(uri, redirected = false)
@webfinger = Goldfinger.finger("acct:#{@uri}") @webfinger = Goldfinger.finger("acct:#{@uri}")
confirmed_username, confirmed_domain = @webfinger.subject.gsub(/\Aacct:/, '').split('@') confirmed_username, confirmed_domain = @webfinger.subject.gsub(/\Aacct:/, '').split('@')
if confirmed_username.casecmp(@username).zero? && confirmed_domain.casecmp(@domain).zero? if confirmed_username.casecmp(@username).zero? && confirmed_domain.casecmp(@domain).zero?
@username = confirmed_username @username = confirmed_username
@domain = confirmed_domain @domain = confirmed_domain
elsif @options[:redirected].nil? @uri = uri
@account = ResolveAccountService.new.call("#{confirmed_username}@#{confirmed_domain}", @options.merge(redirected: true)) elsif !redirected
return process_webfinger!("#{confirmed_username}@#{confirmed_domain}", true)
else else
raise WebfingerRedirectError, "The URI #{uri} tries to hijack #{@username}@#{@domain}" raise WebfingerRedirectError, "The URI #{uri} tries to hijack #{@username}@#{@domain}"
end end