diff options
| -rw-r--r-- | routers/web/webfinger.go | 13 | ||||
| -rw-r--r-- | tests/integration/webfinger_test.go | 12 |
2 files changed, 25 insertions, 0 deletions
diff --git a/routers/web/webfinger.go b/routers/web/webfinger.go index e4b2aacce8..c620059ec1 100644 --- a/routers/web/webfinger.go +++ b/routers/web/webfinger.go @@ -64,6 +64,19 @@ func WebfingerQuery(ctx *context.Context) { if u != nil && u.KeepEmailPrivate { err = user_model.ErrUserNotExist{} } + case "https", "http": + if resource.Host != appURL.Host { + ctx.Error(http.StatusBadRequest) + return + } + + parts := strings.Split(resource.Path, "/") + if len(parts) < 2 { // fragment[0] is empty space, fragment[1] may be username + ctx.Error(http.StatusBadRequest) + return + } + + u, err = user_model.GetUserByName(ctx, parts[1]) default: ctx.Error(http.StatusBadRequest) return diff --git a/tests/integration/webfinger_test.go b/tests/integration/webfinger_test.go index 55fb211779..cdc7d94ebb 100644 --- a/tests/integration/webfinger_test.go +++ b/tests/integration/webfinger_test.go @@ -66,4 +66,16 @@ func TestWebfinger(t *testing.T) { req = NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=mailto:%s", user.Email)) MakeRequest(t, req, http.StatusNotFound) + + req = NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=http://%s/%s/foo", appURL.Host, user.Name)) + session.MakeRequest(t, req, http.StatusOK) + + req = NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=https://%s/%s", appURL.Host, user.Name)) + session.MakeRequest(t, req, http.StatusOK) + + req = NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=http://%s", appURL.Host)) + MakeRequest(t, req, http.StatusBadRequest) + + req = NewRequest(t, "GET", fmt.Sprintf("/.well-known/webfinger?resource=http://%s/%s/foo", "example.com", user.Name)) + MakeRequest(t, req, http.StatusBadRequest) } |