From 79c5696cb46abb110966f7db1bf2d55dbc63bb1d Mon Sep 17 00:00:00 2001 From: Ben Morrison Date: Fri, 14 Jun 2019 00:31:17 -0400 Subject: prevent potential ddos via circular registry POST --- svc/post.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/svc/post.go b/svc/post.go index 34ae92f..46032b9 100644 --- a/svc/post.go +++ b/svc/post.go @@ -3,6 +3,7 @@ package svc // import "github.com/getwtxt/getwtxt/svc" import ( "fmt" "net/http" + "strings" "github.com/getwtxt/registry" ) @@ -35,6 +36,10 @@ func apiPostUser(w http.ResponseWriter, r *http.Request) { switch remoteRegistry { case true: + if strings.Contains(urls, confObj.Instance.URL) { + errHTTP(w, r, fmt.Errorf("can't submit this registry to itself"), http.StatusBadRequest) + break + } remoteRegistries.List = append(remoteRegistries.List, urls) if err := twtxtCache.CrawlRemoteRegistry(urls); err != nil { @@ -49,7 +54,7 @@ func apiPostUser(w http.ResponseWriter, r *http.Request) { if err := twtxtCache.AddUser(nick, urls, "", uip, statuses); err != nil { errHTTP(w, r, fmt.Errorf("error adding user to cache: %v", err.Error()), http.StatusBadRequest) - return + break } _, err = w.Write([]byte(fmt.Sprintf("200 OK\n"))) -- cgit 1.4.1-2-gfad0