Loading CHANGES.md +4 −0 Original line number Diff line number Diff line Loading @@ -98,6 +98,10 @@ To be released. - Removed `verify()` function. - Removed `VerifyOptions` interface. - Fixed a bug where the `lookupWebFinger()` function had incorrectly queried if the given `resource` was a URL starts with `http:` or had a non-default port number. - Fixed a SSRF vulnerability in the built-in document loader. [[CVE-2024-39687]] Loading src/webfinger/lookup.ts +4 −2 Original line number Diff line number Diff line Loading @@ -13,6 +13,7 @@ export async function lookupWebFinger( resource: URL | string, ): Promise<ResourceDescriptor | null> { if (typeof resource === "string") resource = new URL(resource); let protocol = "https:"; let server: string; if (resource.protocol === "acct:") { const atPos = resource.pathname.lastIndexOf("@"); Loading @@ -20,9 +21,10 @@ export async function lookupWebFinger( server = resource.pathname.substring(atPos + 1); if (server === "") return null; } else { server = resource.hostname; protocol = resource.protocol; server = resource.host; } let url = new URL(`https://${server}/.well-known/webfinger`); let url = new URL(`${protocol}//${server}/.well-known/webfinger`); url.searchParams.set("resource", resource.href); while (true) { logger.debug( Loading Loading
CHANGES.md +4 −0 Original line number Diff line number Diff line Loading @@ -98,6 +98,10 @@ To be released. - Removed `verify()` function. - Removed `VerifyOptions` interface. - Fixed a bug where the `lookupWebFinger()` function had incorrectly queried if the given `resource` was a URL starts with `http:` or had a non-default port number. - Fixed a SSRF vulnerability in the built-in document loader. [[CVE-2024-39687]] Loading
src/webfinger/lookup.ts +4 −2 Original line number Diff line number Diff line Loading @@ -13,6 +13,7 @@ export async function lookupWebFinger( resource: URL | string, ): Promise<ResourceDescriptor | null> { if (typeof resource === "string") resource = new URL(resource); let protocol = "https:"; let server: string; if (resource.protocol === "acct:") { const atPos = resource.pathname.lastIndexOf("@"); Loading @@ -20,9 +21,10 @@ export async function lookupWebFinger( server = resource.pathname.substring(atPos + 1); if (server === "") return null; } else { server = resource.hostname; protocol = resource.protocol; server = resource.host; } let url = new URL(`https://${server}/.well-known/webfinger`); let url = new URL(`${protocol}//${server}/.well-known/webfinger`); url.searchParams.set("resource", resource.href); while (true) { logger.debug( Loading
