Skip to content
Browse files

Fix bug: The subject of the host-meta file may not be checked. Prepar…

…e 0.2.1
  • Loading branch information...
1 parent aaf7af2 commit f7cb403bcbc2293452940e35021a33ebe15c67cf @cweiske cweiske committed Mar 3, 2012
Showing with 31 additions and 4 deletions.
  1. +19 −3 package.xml
  2. +12 −1 src/Net/WebFinger.php
View
22 package.xml
@@ -27,10 +27,10 @@ OStatus and Salmon URLs.
<active>yes</active>
</lead>
- <date>2012-02-12</date>
+ <date>2012-03-03</date>
<version>
- <release>0.2.0</release>
+ <release>0.2.1</release>
<api>0.2.0</api>
</version>
<stability>
@@ -40,7 +40,7 @@ OStatus and Salmon URLs.
<license uri="http://www.gnu.org/licenses/lgpl.html">LGPL</license>
<notes>
- foreach() iteration for links
+ The subject of the host-meta file may not be checked.
</notes>
<contents>
@@ -109,6 +109,22 @@ OStatus and Salmon URLs.
<release>
<version>
+ <release>0.2.1</release>
+ <api>0.2.0</api>
+ </version>
+ <stability>
+ <release>alpha</release>
+ <api>alpha</api>
+ </stability>
+ <date>2012-03-03</date>
+ <license uri="http://www.gnu.org/licenses/lgpl.html">LGPL</license>
+ <notes>
+ The subject of the host-meta file may not be checked.
+ </notes>
+ </release>
+
+ <release>
+ <version>
<release>0.2.0</release>
<api>0.2.0</api>
</version>
View
13 src/Net/WebFinger.php
@@ -167,11 +167,23 @@ protected function loadHostMetaCached(Net_WebFinger_Reaction $react, $host)
*/
protected function loadHostMeta(Net_WebFinger_Reaction $react, $host)
{
+ /**
+ * HTTPS is secure.
+ * xrd->describes() may not be used because the host-meta should not
+ * have a subject at all: http://tools.ietf.org/html/rfc6415#section-3.1
+ * > The document SHOULD NOT include a "Subject" element, as at this
+ * > time no URI is available to identify hosts.
+ * > The use of the "Alias" element in host-meta is undefined and
+ * > NOT RECOMMENDED.
+ */
+ $react->secure = true;
+
$xrd = $this->loadXrd('https://' . $host . '/.well-known/host-meta', $react);
if (!$xrd) {
$xrd = $this->loadXrd(
'http://' . $host . '/.well-known/host-meta', $react
);
+ //no https, so not secure
//TODO: XML signature verification once supported by XML_XRD
$react->secure = false;
if (!$xrd) {
@@ -184,7 +196,6 @@ protected function loadHostMeta(Net_WebFinger_Reaction $react, $host)
}
}
$react->hostMetaXrd = $xrd;
- $react->secure = (bool)($react->secure & $xrd->describes($host));
return true;
}

0 comments on commit f7cb403

Please sign in to comment.
Something went wrong with that request. Please try again.