Arsharth/hydrogen-web
1
0
Fork 0
forked from mystiq/hydrogen-web
Code Issues Pull requests Projects Releases Packages Wiki Activity

don't retry with www.{host}, as it's a minor security issue

Browse source 
if www.host gets hacked (e.g. a bad wordpress plugin), it could spread
to the matrix server running on a different host.
This commit is contained in:
Bruno Windels 2021-08-23 20:05:42 +02:00
parent 160ae0b767
commit d1412e1f42
1 changed files with 11 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
src/matrix/well-known.js
View file

@ -22,37 +22,19 @@ function normalizeHomeserver(homeserver) {
} }
} }
function getRetryHomeserver(homeserver) {
const url = new URL(homeserver);
const {host} = url;
const dotCount = host.split(".").length - 1;
if (dotCount === 1) {
url.host = `www.${host}`;
return url.origin;
}
}
async function getWellKnownResponse(homeserver, request) { async function getWellKnownResponse(homeserver, request) {
const requestOptions = {format: "json", timeout: 30000, method: "GET"}; const requestOptions = {format: "json", timeout: 30000, method: "GET"};
let wellKnownResponse = null; try {
while (!wellKnownResponse) { const wellKnownUrl = `${homeserver}/.well-known/matrix/client`;
try { return await request(wellKnownUrl, requestOptions).response();
const wellKnownUrl = `${homeserver}/.well-known/matrix/client`; } catch (err) {
return await request(wellKnownUrl, requestOptions).response(); if (err.name === "ConnectionError") {
} catch (err) { // don't fail lookup on a ConnectionError,
if (err.name === "ConnectionError") { // there might be a missing CORS header on a 404 response or something,
const retryHS = getRetryHomeserver(homeserver); // which won't be a problem necessarily with homeserver requests later on ...
if (retryHS) { return null;
homeserver = retryHS; } else {
} else { throw err;
// don't fail lookup on a ConnectionError,
// there might be a missing CORS header on a 404 response or something,
// which won't be a problem necessarily with homeserver requests later on ...
return null;
}
} else {
throw err;
}
} }
} }
} }