Merge pull request #14018 from annando/content-type-check

Improved Content-Type check on incoming requests

src/Module/ActivityPub/Inbox.php

@@ -77,6 +77,11 @@ class Inbox extends BaseApi
 			throw new \Friendica\Network\HTTPException\BadRequestException();
 		}
 
+		if (!HTTPSignature::isValidContentType($this->server['CONTENT_TYPE'] ?? '')) {
+			Logger::notice('Unexpected content type', ['content-type' => $this->server['CONTENT_TYPE'] ?? '', 'agent' => $this->server['HTTP_USER_AGENT'] ?? '']);
+			throw new \Friendica\Network\HTTPException\UnsupportedMediaTypeException();
+		}
+
 		if (DI::config()->get('debug', 'ap_inbox_log')) {
 			if (HTTPSignature::getSigner($postdata, $_SERVER)) {
 				$filename = 'signed-activitypub';

src/Protocol/ActivityPub.php

@@ -95,16 +95,17 @@ class ActivityPub
 	public static function isRequest(): bool
 	{
 		header('Vary: Accept', false);
-
-		$isrequest = stristr($_SERVER['HTTP_ACCEPT'] ?? '', 'application/activity+json') ||
-			stristr($_SERVER['HTTP_ACCEPT'] ?? '', 'application/json') ||
-			stristr($_SERVER['HTTP_ACCEPT'] ?? '', 'application/ld+json');
-
-		if ($isrequest) {
+		if (stristr($_SERVER['HTTP_ACCEPT'] ?? '', 'application/activity+json') || stristr($_SERVER['HTTP_ACCEPT'] ?? '', 'application/ld+json')) {
 			Logger::debug('Is AP request', ['accept' => $_SERVER['HTTP_ACCEPT'], 'agent' => $_SERVER['HTTP_USER_AGENT'] ?? '']);
+			return true;
 		}
 
-		return $isrequest;
+		if (stristr($_SERVER['HTTP_ACCEPT'] ?? '', 'application/json')) {
+			Logger::debug('Is JSON request', ['accept' => $_SERVER['HTTP_ACCEPT'], 'agent' => $_SERVER['HTTP_USER_AGENT'] ?? '']);
+			return true;
+		}
+
+		return false;
 	}
 
 	private static function getAccountType(array $apcontact): int