From 5c39779b45005c12962e7e92d3428efd187f279c Mon Sep 17 00:00:00 2001 From: Michael Date: Tue, 20 Nov 2018 20:40:47 +0000 Subject: [PATCH 1/2] AP: Security check against forged "create" activities --- src/Protocol/ActivityPub/Receiver.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/Protocol/ActivityPub/Receiver.php b/src/Protocol/ActivityPub/Receiver.php index 686ac8be3..a101c5335 100644 --- a/src/Protocol/ActivityPub/Receiver.php +++ b/src/Protocol/ActivityPub/Receiver.php @@ -309,6 +309,16 @@ class Receiver } + // Don't trust the source if "actor" differs from "attributedTo". The content could be forged. + if ($trust_source && ($type == 'as:Create') && is_array($activity['as:object'])) { + $actor = JsonLD::fetchElement($activity, 'as:actor'); + $attributed_to = JsonLD::fetchElement($activity['as:object'], 'as:attributedTo'); + $trust_source = ($actor == $attributed_to); + if (!$trust_source) { + Logger::log('Not trusting actor: ' . $actor . '. It differs from attributedTo: ' . $attributed_to, Logger::DEBUG); + } + } + // $trust_source is called by reference and is set to true if the content was retrieved successfully $object_data = self::prepareObjectData($activity, $uid, $trust_source); if (empty($object_data)) { From 27d1da04689243c7b18cddf98ee0e9d67930f08f Mon Sep 17 00:00:00 2001 From: Michael Date: Tue, 20 Nov 2018 20:49:06 +0000 Subject: [PATCH 2/2] One space too much --- src/Protocol/ActivityPub/Receiver.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Protocol/ActivityPub/Receiver.php b/src/Protocol/ActivityPub/Receiver.php index a101c5335..c074e49f6 100644 --- a/src/Protocol/ActivityPub/Receiver.php +++ b/src/Protocol/ActivityPub/Receiver.php @@ -315,7 +315,7 @@ class Receiver $attributed_to = JsonLD::fetchElement($activity['as:object'], 'as:attributedTo'); $trust_source = ($actor == $attributed_to); if (!$trust_source) { - Logger::log('Not trusting actor: ' . $actor . '. It differs from attributedTo: ' . $attributed_to, Logger::DEBUG); + Logger::log('Not trusting actor: ' . $actor . '. It differs from attributedTo: ' . $attributed_to, Logger::DEBUG); } }