friendica
/
friendica
mirror of https://github.com/friendica/friendica
6
0
Fork 1
Code Issues Packages Projects Releases 1 Wiki Activity

Merge pull request #6176 from annando/ap-security 

AP: Security check against forged "create" activities
This commit is contained in:
Tobias Diekershoff 2018-11-21 18:10:45 +01:00 committed by GitHub
parent 2ef23300a3 27d1da0468
commit cf1c63fcc2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/Protocol/ActivityPub/Receiver.php
View File

@ -309,6 +309,16 @@ class Receiver
}
// Don't trust the source if "actor" differs from "attributedTo". The content could be forged.
if ($trust_source && ($type == 'as:Create') && is_array($activity['as:object'])) {
$actor = JsonLD::fetchElement($activity, 'as:actor');
$attributed_to = JsonLD::fetchElement($activity['as:object'], 'as:attributedTo');
$trust_source = ($actor == $attributed_to);
if (!$trust_source) {
Logger::log('Not trusting actor: ' . $actor . '. It differs from attributedTo: ' . $attributed_to, Logger::DEBUG);
}
}
// $trust_source is called by reference and is set to true if the content was retrieved successfully
$object_data = self::prepareObjectData($activity, $uid, $trust_source);
if (empty($object_data)) {