From 8b5be9fe1bbf8adabaca6f6177d44e58e8ef8c37 Mon Sep 17 00:00:00 2001
From: Alexei Sorokin <sor.alexei@meowr.ru>
Date: Wed, 22 Jul 2020 01:30:04 +0300
Subject: [PATCH] [LRDD] Fix unhandled bad data in HostMeta, LinkHTML and
 WebFinger

---
 plugins/LRDD/lib/lrddmethod/hostmeta.php  | 30 +++++++++++++----
 plugins/LRDD/lib/lrddmethod/linkhtml.php  | 40 ++++++++++++++++------
 plugins/LRDD/lib/lrddmethod/webfinger.php | 41 ++++++++++++++++-------
 3 files changed, 81 insertions(+), 30 deletions(-)

diff --git a/plugins/LRDD/lib/lrddmethod/hostmeta.php b/plugins/LRDD/lib/lrddmethod/hostmeta.php
index 0bd9117964..11f4db947d 100644
--- a/plugins/LRDD/lib/lrddmethod/hostmeta.php
+++ b/plugins/LRDD/lib/lrddmethod/hostmeta.php
@@ -1,4 +1,19 @@
 <?php
+// This file is part of GNU social - https://www.gnu.org/software/social
+//
+// GNU social is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// GNU social is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with GNU social.  If not, see <http://www.gnu.org/licenses/>.
+
 /**
  * Implementation of discovery using host-meta file
  *
@@ -6,11 +21,10 @@
  * organization's host-meta file and trying to find a template for LRDD.
  *
  * @category  Discovery
- * @package   StatusNet
+ * @package   GNUsocial
  * @author    James Walker <james@status.net>
  * @copyright 2010 StatusNet, Inc.
- * @license   http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
- * @link      http://status.net/
+ * @license   https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later
  */
 class LRDDMethod_HostMeta extends LRDDMethod
 {
@@ -26,12 +40,14 @@ class LRDDMethod_HostMeta extends LRDDMethod
         $scheme = mb_strtolower(parse_url($uri, PHP_URL_SCHEME));
         switch ($scheme) {
         case 'acct':
-            if (!Discovery::isAcct($uri)) {
-                throw new Exception('Bad resource URI: '.$uri);
-            }
             // We can't use parse_url data for this, since the 'host'
             // entry is only set if the scheme has '://' after it.
-            list($user, $domain) = explode('@', parse_url($uri, PHP_URL_PATH));
+            $parts = explode('@', parse_url($uri, PHP_URL_PATH), 2);
+
+            if (!Discovery::isAcct($uri) || count($parts) != 2) {
+                throw new Exception('Bad resource URI: ' . $uri);
+            }
+            [, $domain] = $parts;
             break;
         case 'http':
         case 'https':
diff --git a/plugins/LRDD/lib/lrddmethod/linkhtml.php b/plugins/LRDD/lib/lrddmethod/linkhtml.php
index 0d8ff5775a..789ce969a8 100644
--- a/plugins/LRDD/lib/lrddmethod/linkhtml.php
+++ b/plugins/LRDD/lib/lrddmethod/linkhtml.php
@@ -1,4 +1,19 @@
 <?php
+// This file is part of GNU social - https://www.gnu.org/software/social
+//
+// GNU social is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// GNU social is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with GNU social.  If not, see <http://www.gnu.org/licenses/>.
+
 /**
  * Implementation of discovery using HTML <link> element
  *
@@ -6,11 +21,10 @@
  * <link> elements in the HTML response.
  *
  * @category  Discovery
- * @package   StatusNet
+ * @package   GNUsocial
  * @author    James Walker <james@status.net>
  * @copyright 2010 StatusNet, Inc.
- * @license   http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
- * @link      http://status.net/
+ * @license   https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later
  */
 class LRDDMethod_LinkHTML extends LRDDMethod
 {
@@ -38,10 +52,14 @@ class LRDDMethod_LinkHTML extends LRDDMethod
      */
     public function parse($html)
     {
-        $links = array();
+        $links = [];
 
         preg_match('/<head(\s[^>]*)?>(.*?)<\/head>/is', $html, $head_matches);
-        $head_html = $head_matches[2];
+
+        if (count($head_matches) != 3) {
+            return [];
+        }
+        [,, $head_html] = $head_matches;
 
         preg_match_all('/<link\s[^>]*>/i', $head_html, $link_matches);
 
@@ -51,23 +69,23 @@ class LRDDMethod_LinkHTML extends LRDDMethod
             $link_type = null;
 
             preg_match('/\srel=(("|\')([^\\2]*?)\\2|[^"\'\s]+)/i', $link_html, $rel_matches);
-            if ( isset($rel_matches[3]) ) {
+            if (count($rel_matches) > 3) {
                 $link_rel = $rel_matches[3];
-            } else if ( isset($rel_matches[1]) ) {
+            } elseif (count($rel_matches) > 1) {
                 $link_rel = $rel_matches[1];
             }
 
             preg_match('/\shref=(("|\')([^\\2]*?)\\2|[^"\'\s]+)/i', $link_html, $href_matches);
-            if ( isset($href_matches[3]) ) {
+            if (count($href_matches) > 3) {
                 $link_uri = $href_matches[3];
-            } else if ( isset($href_matches[1]) ) {
+            } elseif (count($href_matches) > 1) {
                 $link_uri = $href_matches[1];
             }
 
             preg_match('/\stype=(("|\')([^\\2]*?)\\2|[^"\'\s]+)/i', $link_html, $type_matches);
-            if ( isset($type_matches[3]) ) {
+            if (count($type_matches) > 3) {
                 $link_type = $type_matches[3];
-            } else if ( isset($type_matches[1]) ) {
+            } elseif (count($type_matches) > 1) {
                 $link_type = $type_matches[1];
             }
 
diff --git a/plugins/LRDD/lib/lrddmethod/webfinger.php b/plugins/LRDD/lib/lrddmethod/webfinger.php
index 1712abec13..170ff55daa 100644
--- a/plugins/LRDD/lib/lrddmethod/webfinger.php
+++ b/plugins/LRDD/lib/lrddmethod/webfinger.php
@@ -1,13 +1,27 @@
 <?php
+// This file is part of GNU social - https://www.gnu.org/software/social
+//
+// GNU social is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// GNU social is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with GNU social.  If not, see <http://www.gnu.org/licenses/>.
+
 /**
  * Implementation of WebFinger resource discovery (RFC7033)
  *
  * @category  Discovery
  * @package   GNUsocial
  * @author    Mikael Nordfeldth <mmn@hethane.se>
- * @copyright 2013 Free Software Foundation, Inc.
- * @license   http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
- * @link      http://status.net/
+ * @copyright 2013 Free Software Foundation, Inc http://www.fsf.org
+ * @license   https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later
  */
 class LRDDMethod_WebFinger extends LRDDMethod
 {
@@ -17,21 +31,24 @@ class LRDDMethod_WebFinger extends LRDDMethod
      */
     public function discover($uri)
     {
-        if (!Discovery::isAcct($uri)) {
-            throw new Exception('Bad resource URI: '.$uri);
+        $parts = explode('@', parse_url($uri, PHP_URL_PATH), 2);
+
+        if (!Discovery::isAcct($uri) || count($parts) != 2) {
+            throw new Exception('Bad resource URI: ' . $uri);
         }
-        list($user, $domain) = explode('@', parse_url($uri, PHP_URL_PATH));
+        [, $domain] = $parts;
         if (!filter_var($domain, FILTER_VALIDATE_IP)
-                && !filter_var(gethostbyname($domain), FILTER_VALIDATE_IP)) {
+            && !filter_var(gethostbyname($domain), FILTER_VALIDATE_IP)) {
             throw new Exception('Bad resource host.');
         }
 
         $link = new XML_XRD_Element_Link(
-                        Discovery::LRDD_REL,
-                        'https://' . $domain . '/.well-known/webfinger?resource={uri}',
-                        Discovery::JRD_MIMETYPE,
-                        true);  //isTemplate
+            Discovery::LRDD_REL,
+            'https://' . $domain . '/.well-known/webfinger?resource={uri}',
+            Discovery::JRD_MIMETYPE,
+            true // isTemplate
+        );
 
-        return array($link);
+        return [$link];
     }
 }