Merge pull request #14018 from annando/content-type-check

Improved Content-Type check on incoming requests
2024-03-21 11:58:08 +00:00 · 2024-03-21 11:58:08 +00:00 · f26f35f009
parent f60638787e 11a16589da
commit f26f35f009
3 changed files with 36 additions and 30 deletions
--- a/database.sql
+++ b/database.sql
@ -2000,7 +2000,7 @@ CREATE TABLE IF NOT EXISTS `worker-ipc` (
 -- VIEW application-view
 --
 DROP VIEW IF EXISTS `application-view`;
-CREATE VIEW `application-view` AS SELECT
+CREATE VIEW `application-view` AS SELECT 
 	`application`.`id` AS `id`,
 	`application-token`.`uid` AS `uid`,
 	`application`.`name` AS `name`,
@ -2024,7 +2024,7 @@ CREATE VIEW `application-view` AS SELECT
 -- VIEW circle-member-view
 --
 DROP VIEW IF EXISTS `circle-member-view`;
-CREATE VIEW `circle-member-view` AS SELECT
+CREATE VIEW `circle-member-view` AS SELECT 
 	`group_member`.`id` AS `id`,
 	`group`.`uid` AS `uid`,
 	`group_member`.`contact-id` AS `contact-id`,
@ -2055,7 +2055,7 @@ CREATE VIEW `circle-member-view` AS SELECT
 -- VIEW post-counts-view
 --
 DROP VIEW IF EXISTS `post-counts-view`;
-CREATE VIEW `post-counts-view` AS SELECT
+CREATE VIEW `post-counts-view` AS SELECT 
 	`post-counts`.`uri-id` AS `uri-id`,
 	`post-counts`.`vid` AS `vid`,
 	`verb`.`name` AS `verb`,
@ -2069,7 +2069,7 @@ CREATE VIEW `post-counts-view` AS SELECT
 -- VIEW post-timeline-view
 --
 DROP VIEW IF EXISTS `post-timeline-view`;
-CREATE VIEW `post-timeline-view` AS SELECT
+CREATE VIEW `post-timeline-view` AS SELECT 
 	`post-user`.`uid` AS `uid`,
 	`post-user`.`uri-id` AS `uri-id`,
 	`post-user`.`gravity` AS `gravity`,
@ -2114,7 +2114,7 @@ CREATE VIEW `post-timeline-view` AS SELECT
 -- VIEW post-searchindex-user-view
 --
 DROP VIEW IF EXISTS `post-searchindex-user-view`;
-CREATE VIEW `post-searchindex-user-view` AS SELECT
+CREATE VIEW `post-searchindex-user-view` AS SELECT 
 	`post-thread-user`.`uid` AS `uid`,
 	`post-searchindex`.`uri-id` AS `uri-id`,
 	`post-searchindex`.`owner-id` AS `owner-id`,
@ -2146,7 +2146,7 @@ CREATE VIEW `post-searchindex-user-view` AS SELECT
 -- VIEW post-user-view
 --
 DROP VIEW IF EXISTS `post-user-view`;
-CREATE VIEW `post-user-view` AS SELECT
+CREATE VIEW `post-user-view` AS SELECT 
 	`post-user`.`id` AS `id`,
 	`post-user`.`id` AS `post-user-id`,
 	`post-user`.`uid` AS `uid`,
@ -2332,7 +2332,7 @@ CREATE VIEW `post-user-view` AS SELECT
 -- VIEW post-thread-user-view
 --
 DROP VIEW IF EXISTS `post-thread-user-view`;
-CREATE VIEW `post-thread-user-view` AS SELECT
+CREATE VIEW `post-thread-user-view` AS SELECT 
 	`post-user`.`id` AS `id`,
 	`post-user`.`id` AS `post-user-id`,
 	`post-thread-user`.`uid` AS `uid`,
@ -2516,7 +2516,7 @@ CREATE VIEW `post-thread-user-view` AS SELECT
 -- VIEW post-view
 --
 DROP VIEW IF EXISTS `post-view`;
-CREATE VIEW `post-view` AS SELECT
+CREATE VIEW `post-view` AS SELECT 
 	`item-uri`.`uri` AS `uri`,
 	`post`.`uri-id` AS `uri-id`,
 	`parent-item-uri`.`uri` AS `parent-uri`,
@ -2663,7 +2663,7 @@ CREATE VIEW `post-view` AS SELECT
 -- VIEW post-thread-view
 --
 DROP VIEW IF EXISTS `post-thread-view`;
-CREATE VIEW `post-thread-view` AS SELECT
+CREATE VIEW `post-thread-view` AS SELECT 
 	`item-uri`.`uri` AS `uri`,
 	`post-thread`.`uri-id` AS `uri-id`,
 	`parent-item-uri`.`uri` AS `parent-uri`,
@ -2811,7 +2811,7 @@ CREATE VIEW `post-thread-view` AS SELECT
 -- VIEW category-view
 --
 DROP VIEW IF EXISTS `category-view`;
-CREATE VIEW `category-view` AS SELECT
+CREATE VIEW `category-view` AS SELECT 
 	`post-category`.`uri-id` AS `uri-id`,
 	`post-category`.`uid` AS `uid`,
 	`post-category`.`type` AS `type`,
@ -2825,7 +2825,7 @@ CREATE VIEW `category-view` AS SELECT
 -- VIEW collection-view
 --
 DROP VIEW IF EXISTS `collection-view`;
-CREATE VIEW `collection-view` AS SELECT
+CREATE VIEW `collection-view` AS SELECT 
 	`post-collection`.`uri-id` AS `uri-id`,
 	`post-collection`.`type` AS `type`,
 	`post-collection`.`author-id` AS `cid`,
@ -2846,7 +2846,7 @@ CREATE VIEW `collection-view` AS SELECT
 -- VIEW media-view
 --
 DROP VIEW IF EXISTS `media-view`;
-CREATE VIEW `media-view` AS SELECT
+CREATE VIEW `media-view` AS SELECT 
 	`post-media`.`uri-id` AS `uri-id`,
 	`post-media`.`type` AS `type`,
 	`post`.`received` AS `received`,
@ -2864,7 +2864,7 @@ CREATE VIEW `media-view` AS SELECT
 -- VIEW tag-view
 --
 DROP VIEW IF EXISTS `tag-view`;
-CREATE VIEW `tag-view` AS SELECT
+CREATE VIEW `tag-view` AS SELECT 
 	`post-tag`.`uri-id` AS `uri-id`,
 	`post-tag`.`type` AS `type`,
 	`post-tag`.`tid` AS `tid`,
@ -2880,7 +2880,7 @@ CREATE VIEW `tag-view` AS SELECT
 -- VIEW network-item-view
 --
 DROP VIEW IF EXISTS `network-item-view`;
-CREATE VIEW `network-item-view` AS SELECT
+CREATE VIEW `network-item-view` AS SELECT 
 	`post-user`.`uri-id` AS `uri-id`,
 	`post-thread-user`.`post-user-id` AS `parent`,
 	`post-user`.`received` AS `received`,
@ -2910,7 +2910,7 @@ CREATE VIEW `network-item-view` AS SELECT
 -- VIEW network-thread-view
 --
 DROP VIEW IF EXISTS `network-thread-view`;
-CREATE VIEW `network-thread-view` AS SELECT
+CREATE VIEW `network-thread-view` AS SELECT 
 	`post-thread-user`.`uri-id` AS `uri-id`,
 	`post-thread-user`.`post-user-id` AS `parent`,
 	`post-thread-user`.`received` AS `received`,
@ -2938,7 +2938,7 @@ CREATE VIEW `network-thread-view` AS SELECT
 -- VIEW owner-view
 --
 DROP VIEW IF EXISTS `owner-view`;
-CREATE VIEW `owner-view` AS SELECT
+CREATE VIEW `owner-view` AS SELECT 
 	`contact`.`id` AS `id`,
 	`contact`.`uid` AS `uid`,
 	`contact`.`created` AS `created`,
@ -3066,7 +3066,7 @@ CREATE VIEW `owner-view` AS SELECT
 -- VIEW account-view
 --
 DROP VIEW IF EXISTS `account-view`;
-CREATE VIEW `account-view` AS SELECT
+CREATE VIEW `account-view` AS SELECT 
 	`contact`.`id` AS `id`,
 	`contact`.`url` AS `url`,
 	`contact`.`nurl` AS `nurl`,
@ -3154,7 +3154,7 @@ CREATE VIEW `account-view` AS SELECT
 -- VIEW account-user-view
 --
 DROP VIEW IF EXISTS `account-user-view`;
-CREATE VIEW `account-user-view` AS SELECT
+CREATE VIEW `account-user-view` AS SELECT 
 	`ucontact`.`id` AS `id`,
 	`contact`.`id` AS `pid`,
 	`ucontact`.`uid` AS `uid`,
@ -3260,7 +3260,7 @@ CREATE VIEW `account-user-view` AS SELECT
 -- VIEW pending-view
 --
 DROP VIEW IF EXISTS `pending-view`;
-CREATE VIEW `pending-view` AS SELECT
+CREATE VIEW `pending-view` AS SELECT 
 	`register`.`id` AS `id`,
 	`register`.`hash` AS `hash`,
 	`register`.`created` AS `created`,
@ -3282,7 +3282,7 @@ CREATE VIEW `pending-view` AS SELECT
 -- VIEW tag-search-view
 --
 DROP VIEW IF EXISTS `tag-search-view`;
-CREATE VIEW `tag-search-view` AS SELECT
+CREATE VIEW `tag-search-view` AS SELECT 
 	`post-tag`.`uri-id` AS `uri-id`,
 	`post-user`.`uid` AS `uid`,
 	`post-user`.`id` AS `iid`,
@ -3304,7 +3304,7 @@ CREATE VIEW `tag-search-view` AS SELECT
 -- VIEW workerqueue-view
 --
 DROP VIEW IF EXISTS `workerqueue-view`;
-CREATE VIEW `workerqueue-view` AS SELECT
+CREATE VIEW `workerqueue-view` AS SELECT 
 	`process`.`pid` AS `pid`,
 	`workerqueue`.`priority` AS `priority`
 	FROM `process`
@ -3315,7 +3315,7 @@ CREATE VIEW `workerqueue-view` AS SELECT
 -- VIEW profile_field-view
 --
 DROP VIEW IF EXISTS `profile_field-view`;
-CREATE VIEW `profile_field-view` AS SELECT
+CREATE VIEW `profile_field-view` AS SELECT 
 	`profile_field`.`id` AS `id`,
 	`profile_field`.`uid` AS `uid`,
 	`profile_field`.`label` AS `label`,
@ -3335,7 +3335,7 @@ CREATE VIEW `profile_field-view` AS SELECT
 -- VIEW diaspora-contact-view
 --
 DROP VIEW IF EXISTS `diaspora-contact-view`;
-CREATE VIEW `diaspora-contact-view` AS SELECT
+CREATE VIEW `diaspora-contact-view` AS SELECT 
 	`diaspora-contact`.`uri-id` AS `uri-id`,
 	`item-uri`.`uri` AS `url`,
 	`item-uri`.`guid` AS `guid`,
--- a/src/Module/ActivityPub/Inbox.php
+++ b/src/Module/ActivityPub/Inbox.php
@ -77,6 +77,11 @@ class Inbox extends BaseApi
 			throw new \Friendica\Network\HTTPException\BadRequestException();
 		}

+		if (!HTTPSignature::isValidContentType($this->server['CONTENT_TYPE'] ?? '')) {
+			Logger::notice('Unexpected content type', ['content-type' => $this->server['CONTENT_TYPE'] ?? '', 'agent' => $this->server['HTTP_USER_AGENT'] ?? '']);
+			throw new \Friendica\Network\HTTPException\UnsupportedMediaTypeException();
+		}
+
 		if (DI::config()->get('debug', 'ap_inbox_log')) {
 			if (HTTPSignature::getSigner($postdata, $_SERVER)) {
 				$filename = 'signed-activitypub';
--- a/src/Protocol/ActivityPub.php
+++ b/src/Protocol/ActivityPub.php
@ -95,16 +95,17 @@ class ActivityPub
 	public static function isRequest(): bool
 	{
 		header('Vary: Accept', false);
-
-		$isrequest = stristr($_SERVER['HTTP_ACCEPT'] ?? '', 'application/activity+json') ||
-			stristr($_SERVER['HTTP_ACCEPT'] ?? '', 'application/json') ||
-			stristr($_SERVER['HTTP_ACCEPT'] ?? '', 'application/ld+json');
-
-		if ($isrequest) {
+		if (stristr($_SERVER['HTTP_ACCEPT'] ?? '', 'application/activity+json') || stristr($_SERVER['HTTP_ACCEPT'] ?? '', 'application/ld+json')) {
 			Logger::debug('Is AP request', ['accept' => $_SERVER['HTTP_ACCEPT'], 'agent' => $_SERVER['HTTP_USER_AGENT'] ?? '']);
+			return true;
 		}

-		return $isrequest;
+		if (stristr($_SERVER['HTTP_ACCEPT'] ?? '', 'application/json')) {
+			Logger::debug('Is JSON request', ['accept' => $_SERVER['HTTP_ACCEPT'], 'agent' => $_SERVER['HTTP_USER_AGENT'] ?? '']);
+			return true;
+		}
+
+		return false;
 	}

 	private static function getAccountType(array $apcontact): int