Another fix for webmentions

This commit is contained in:
Jan-Lukas Else 2021-06-30 08:04:30 +02:00
parent 597dc35470
commit 4e6afb8cc5
4 changed files with 14 additions and 47 deletions

View File

@ -5,7 +5,6 @@ import (
"fmt"
"html/template"
"io"
"net/http"
"net/url"
"path"
"sort"
@ -46,25 +45,6 @@ func generateRandomString(chars int) string {
return funk.RandomString(chars, []rune(randomLetters))
}
func isAllowedHost(r *http.Request, hosts ...string) bool {
if r.URL == nil {
return false
}
rh := r.URL.Host
switch r.URL.Scheme {
case "http":
rh = strings.TrimSuffix(rh, ":80")
case "https":
rh = strings.TrimSuffix(rh, ":443")
}
for _, host := range hosts {
if rh == host {
return true
}
}
return false
}
func isAbsoluteURL(s string) bool {
if u, err := url.Parse(s); err != nil || !u.IsAbs() {
return false

View File

@ -1,8 +1,6 @@
package main
import (
"net/http"
"net/http/httptest"
"reflect"
"testing"
@ -28,28 +26,6 @@ func Test_generateRandomString(t *testing.T) {
}
}
func Test_isAllowedHost(t *testing.T) {
req1 := httptest.NewRequest(http.MethodGet, "https://example.com", nil)
req2 := httptest.NewRequest(http.MethodGet, "https://example.com:443", nil)
req3 := httptest.NewRequest(http.MethodGet, "http://example.com:80", nil)
if isAllowedHost(req1, "example.com") != true {
t.Error("Wrong result")
}
if isAllowedHost(req1, "example.net") != false {
t.Error("Wrong result")
}
if isAllowedHost(req2, "example.com") != true {
t.Error("Wrong result")
}
if isAllowedHost(req3, "example.com") != true {
t.Error("Wrong result")
}
}
func Test_isAbsoluteURL(t *testing.T) {
if isAbsoluteURL("http://example.com") != true {
t.Error("Wrong result")

View File

@ -5,7 +5,6 @@ import (
"errors"
"fmt"
"net/http"
"net/http/httptest"
"strings"
"time"
@ -52,7 +51,7 @@ func (a *goBlog) handleWebmention(w http.ResponseWriter, r *http.Request) {
a.serveError(w, r, err.Error(), http.StatusBadRequest)
return
}
if !isAllowedHost(httptest.NewRequest(http.MethodGet, m.Target, nil), a.cfg.Server.publicHostname) {
if !strings.HasPrefix(m.Target, a.cfg.Server.PublicAddress) {
a.serveError(w, r, "target not allowed", http.StatusBadRequest)
return
}

View File

@ -63,6 +63,18 @@ func (a *goBlog) queueMention(m *mention) error {
}
func (a *goBlog) verifyMention(m *mention) error {
// Parse url -> string for source and target
u, err := url.Parse(m.Source)
if err != nil {
return err
}
m.Source = u.String()
u, err = url.Parse(m.Target)
if err != nil {
return err
}
m.Target = u.String()
// Do request
req, err := http.NewRequest(http.MethodGet, m.Source, nil)
if err != nil {
return err
@ -156,7 +168,7 @@ func (m *mention) fill(mf *microformats.Microformat) bool {
// Check URL
if url, ok := mf.Properties["url"]; ok && len(url) > 0 {
if url0, ok := url[0].(string); ok {
if strings.ToLower(url0) != strings.ToLower(m.Source) {
if !strings.EqualFold(url0, m.Source) {
// Not correct URL
return false
}