don't retry with www.{host}, as it's a minor security issue

if www.host gets hacked (e.g. a bad wordpress plugin), it could spread
to the matrix server running on a different host.
This commit is contained in:
Bruno Windels 2021-08-23 20:05:42 +02:00
parent 160ae0b767
commit d1412e1f42

View File

@ -22,40 +22,22 @@ function normalizeHomeserver(homeserver) {
} }
} }
function getRetryHomeserver(homeserver) {
const url = new URL(homeserver);
const {host} = url;
const dotCount = host.split(".").length - 1;
if (dotCount === 1) {
url.host = `www.${host}`;
return url.origin;
}
}
async function getWellKnownResponse(homeserver, request) { async function getWellKnownResponse(homeserver, request) {
const requestOptions = {format: "json", timeout: 30000, method: "GET"}; const requestOptions = {format: "json", timeout: 30000, method: "GET"};
let wellKnownResponse = null;
while (!wellKnownResponse) {
try { try {
const wellKnownUrl = `${homeserver}/.well-known/matrix/client`; const wellKnownUrl = `${homeserver}/.well-known/matrix/client`;
return await request(wellKnownUrl, requestOptions).response(); return await request(wellKnownUrl, requestOptions).response();
} catch (err) { } catch (err) {
if (err.name === "ConnectionError") { if (err.name === "ConnectionError") {
const retryHS = getRetryHomeserver(homeserver);
if (retryHS) {
homeserver = retryHS;
} else {
// don't fail lookup on a ConnectionError, // don't fail lookup on a ConnectionError,
// there might be a missing CORS header on a 404 response or something, // there might be a missing CORS header on a 404 response or something,
// which won't be a problem necessarily with homeserver requests later on ... // which won't be a problem necessarily with homeserver requests later on ...
return null; return null;
}
} else { } else {
throw err; throw err;
} }
} }
} }
}
export async function lookupHomeserver(homeserver, request) { export async function lookupHomeserver(homeserver, request) {
homeserver = normalizeHomeserver(homeserver); homeserver = normalizeHomeserver(homeserver);