Enforce https before indieauth parsing. For #2492

This commit is contained in:
Gabe Kangas 2022-12-23 20:50:12 -08:00
parent 87eeeffa1c
commit 3894f410d2
No known key found for this signature in database
GPG Key ID: 4345B2060657F330

View File

@ -74,6 +74,10 @@ func getAuthEndpointFromURL(urlstring string) (*url.URL, error) {
return nil, errors.Wrap(err, "unable to parse URL")
}
if htmlDocScrapeURL.Scheme != "https" {
return nil, fmt.Errorf("url must be https")
}
r, err := http.Get(htmlDocScrapeURL.String()) // nolint:gosec
if err != nil {
return nil, err