From cf1f84993b984051581b2b76be0a0cc595378354 Mon Sep 17 00:00:00 2001
From: Nutomic <me@nutomic.com>
Date: Mon, 6 May 2024 11:09:23 +0200
Subject: [PATCH] Make response content-type check case insensitive (#111)

* Make response content-type check case insensitive

For wordpress compat

* cleaner

* clippy

* fmt

* fmt
---
 src/fetch/mod.rs | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/src/fetch/mod.rs b/src/fetch/mod.rs
index 4d563b6..67165a9 100644
--- a/src/fetch/mod.rs
+++ b/src/fetch/mod.rs
@@ -53,19 +53,21 @@ pub async fn fetch_object_http<T: Clone, Kind: DeserializeOwned>(
     url: &Url,
     data: &Data<T>,
 ) -> Result<FetchObjectResponse<Kind>, Error> {
-    static CONTENT_TYPE: HeaderValue = HeaderValue::from_static(FEDERATION_CONTENT_TYPE);
-    static ALT_CONTENT_TYPE: HeaderValue = HeaderValue::from_static(
-        r#"application/ld+json; profile="https://www.w3.org/ns/activitystreams""#,
-    );
-    static ALT_CONTENT_TYPE_MASTODON: HeaderValue =
-        HeaderValue::from_static(r#"application/activity+json; charset=utf-8"#);
-    let res = fetch_object_http_with_accept(url, data, &CONTENT_TYPE).await?;
+    static FETCH_CONTENT_TYPE: HeaderValue = HeaderValue::from_static(FEDERATION_CONTENT_TYPE);
+    const VALID_RESPONSE_CONTENT_TYPES: [&str; 3] = [
+        FEDERATION_CONTENT_TYPE, // lemmy
+        r#"application/ld+json; profile="https://www.w3.org/ns/activitystreams""#, // activitypub standard
+        r#"application/activity+json; charset=utf-8"#,                             // mastodon
+    ];
+    let res = fetch_object_http_with_accept(url, data, &FETCH_CONTENT_TYPE).await?;
 
-    // Ensure correct content-type to prevent vulnerabilities.
-    if res.content_type.as_ref() != Some(&CONTENT_TYPE)
-        && res.content_type.as_ref() != Some(&ALT_CONTENT_TYPE)
-        && res.content_type.as_ref() != Some(&ALT_CONTENT_TYPE_MASTODON)
-    {
+    // Ensure correct content-type to prevent vulnerabilities, with case insensitive comparison.
+    let content_type = res
+        .content_type
+        .as_ref()
+        .and_then(|c| c.to_str().ok())
+        .ok_or(Error::FetchInvalidContentType(res.url.clone()))?;
+    if !VALID_RESPONSE_CONTENT_TYPES.contains(&content_type) {
         return Err(Error::FetchInvalidContentType(res.url));
     }