From 5c39779b45005c12962e7e92d3428efd187f279c Mon Sep 17 00:00:00 2001 From: Michael Date: Tue, 20 Nov 2018 20:40:47 +0000 Subject: [PATCH] AP: Security check against forged "create" activities --- src/Protocol/ActivityPub/Receiver.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/Protocol/ActivityPub/Receiver.php b/src/Protocol/ActivityPub/Receiver.php index 686ac8be3..a101c5335 100644 --- a/src/Protocol/ActivityPub/Receiver.php +++ b/src/Protocol/ActivityPub/Receiver.php @@ -309,6 +309,16 @@ class Receiver } + // Don't trust the source if "actor" differs from "attributedTo". The content could be forged. + if ($trust_source && ($type == 'as:Create') && is_array($activity['as:object'])) { + $actor = JsonLD::fetchElement($activity, 'as:actor'); + $attributed_to = JsonLD::fetchElement($activity['as:object'], 'as:attributedTo'); + $trust_source = ($actor == $attributed_to); + if (!$trust_source) { + Logger::log('Not trusting actor: ' . $actor . '. It differs from attributedTo: ' . $attributed_to, Logger::DEBUG); + } + } + // $trust_source is called by reference and is set to true if the content was retrieved successfully $object_data = self::prepareObjectData($activity, $uid, $trust_source); if (empty($object_data)) {