commit 7883dd54998f351e2f59d1e8e4238eb906f79ade
parent af97d6bb7e13616e70f8f4ce616a9072854a01a9
Author: tobi <31960611+tsmethurst@users.noreply.github.com>
Date: Sat, 16 Apr 2022 13:09:42 +0200
[bugfix] Convert IDNs to punycode before using as session name (#458)
* convert hostname to punycode for session name
* test punycode
Diffstat:
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/internal/router/session.go b/internal/router/session.go
@@ -31,6 +31,7 @@ import (
"github.com/spf13/viper"
"github.com/superseriousbusiness/gotosocial/internal/config"
"github.com/superseriousbusiness/gotosocial/internal/db"
+ "golang.org/x/net/idna"
)
// SessionOptions returns the standard set of options to use for each session.
@@ -61,7 +62,14 @@ func SessionName() (string, error) {
return "", fmt.Errorf("could not derive hostname without port from %s://%s", protocol, host)
}
- return fmt.Sprintf("gotosocial-%s", strippedHostname), nil
+ // make sure IDNs are converted to punycode or the cookie library breaks:
+ // see https://en.wikipedia.org/wiki/Punycode
+ punyHostname, err := idna.New().ToASCII(strippedHostname)
+ if err != nil {
+ return "", fmt.Errorf("could not convert %s to punycode: %s", strippedHostname, err)
+ }
+
+ return fmt.Sprintf("gotosocial-%s", punyHostname), nil
}
func useSession(ctx context.Context, sessionDB db.Session, engine *gin.Engine) error {
diff --git a/internal/router/session_test.go b/internal/router/session_test.go
@@ -82,6 +82,15 @@ func (suite *SessionTestSuite) TestDeriveSessionOK() {
suite.Equal("gotosocial-example.org", sessionName)
}
+func (suite *SessionTestSuite) TestDeriveSessionIDNOK() {
+ viper.Set(config.Keys.Protocol, "https")
+ viper.Set(config.Keys.Host, "fóid.org")
+
+ sessionName, err := router.SessionName()
+ suite.NoError(err)
+ suite.Equal("gotosocial-xn--fid-gna.org", sessionName)
+}
+
func TestSessionTestSuite(t *testing.T) {
suite.Run(t, &SessionTestSuite{})
}
