diff options
author | Ben Morrison <ben@gbmor.dev> | 2019-06-14 00:31:17 -0400 |
---|---|---|
committer | Ben Morrison <ben@gbmor.dev> | 2019-06-14 00:31:23 -0400 |
commit | 79c5696cb46abb110966f7db1bf2d55dbc63bb1d (patch) | |
tree | 01c951be5921316c2de8382e4ff5527dc4d6da99 | |
parent | 1e0e919565dbd23e423fe9055a755a55bf971efb (diff) | |
download | getwtxt-0.4.2.tar.gz |
prevent potential ddos via circular registry POST v0.4.2
-rw-r--r-- | svc/post.go | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/svc/post.go b/svc/post.go index 34ae92f..46032b9 100644 --- a/svc/post.go +++ b/svc/post.go @@ -3,6 +3,7 @@ package svc // import "github.com/getwtxt/getwtxt/svc" import ( "fmt" "net/http" + "strings" "github.com/getwtxt/registry" ) @@ -35,6 +36,10 @@ func apiPostUser(w http.ResponseWriter, r *http.Request) { switch remoteRegistry { case true: + if strings.Contains(urls, confObj.Instance.URL) { + errHTTP(w, r, fmt.Errorf("can't submit this registry to itself"), http.StatusBadRequest) + break + } remoteRegistries.List = append(remoteRegistries.List, urls) if err := twtxtCache.CrawlRemoteRegistry(urls); err != nil { @@ -49,7 +54,7 @@ func apiPostUser(w http.ResponseWriter, r *http.Request) { if err := twtxtCache.AddUser(nick, urls, "", uip, statuses); err != nil { errHTTP(w, r, fmt.Errorf("error adding user to cache: %v", err.Error()), http.StatusBadRequest) - return + break } _, err = w.Write([]byte(fmt.Sprintf("200 OK\n"))) |