From 4b697ba9092035cd4ab107805a38396c7de6ca9d Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Fri, 25 Apr 2014 21:21:00 -0400
Subject: [PATCH] webfinger checks host on acct: URIs, closes #404

---
 .../org/mitre/discovery/web/DiscoveryEndpoint.java   | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/openid-connect-server/src/main/java/org/mitre/discovery/web/DiscoveryEndpoint.java b/openid-connect-server/src/main/java/org/mitre/discovery/web/DiscoveryEndpoint.java
index 057eef85e..87a2218f5 100644
--- a/openid-connect-server/src/main/java/org/mitre/discovery/web/DiscoveryEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/discovery/web/DiscoveryEndpoint.java
@@ -38,8 +38,10 @@ import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.util.UriComponents;
+import org.springframework.web.util.UriComponentsBuilder;
 
 import com.google.common.base.Function;
+import com.google.common.base.Strings;
 import com.google.common.collect.Collections2;
 import com.google.common.collect.Lists;
 import com.nimbusds.jose.Algorithm;
@@ -105,8 +107,16 @@ public class DiscoveryEndpoint {
 					model.addAttribute("code", HttpStatus.NOT_FOUND);
 					return "httpCodeView";
 				}
-				// TODO: check the "host" part against our issuer
 
+				UriComponents issuerComponents = UriComponentsBuilder.fromHttpUrl(config.getIssuer()).build();
+				if (!Strings.nullToEmpty(issuerComponents.getHost())
+						.equals(Strings.nullToEmpty(resourceUri.getHost()))) {
+					logger.info("Host mismatch, expected " + issuerComponents.getHost() + " got " + resourceUri.getHost());
+					model.addAttribute("code", HttpStatus.NOT_FOUND);
+					return "httpCodeView";
+				}
+				
+				
 			} else {
 				logger.info("Unknown URI format: " + resource);
 				model.addAttribute("code", HttpStatus.NOT_FOUND);