From a3c323b366e58c154e5a43f56d85412762e0ac83 Mon Sep 17 00:00:00 2001 From: Michael Date: Wed, 26 May 2021 20:52:39 +0000 Subject: [PATCH 1/2] Issue 10262: Don't accept BCC posts from non followers --- src/Protocol/ActivityPub/Processor.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/Protocol/ActivityPub/Processor.php b/src/Protocol/ActivityPub/Processor.php index ecbecb9551..aba285c180 100644 --- a/src/Protocol/ActivityPub/Processor.php +++ b/src/Protocol/ActivityPub/Processor.php @@ -602,6 +602,12 @@ class Processor continue; } + if (!$item['isForum'] && ($receiver != 0) && ($item['gravity'] == GRAVITY_PARENT) && + ($item['post-reason'] == Item::PR_BCC) && !Contact::isSharingByURL($activity['author'], $receiver)) { + Logger::info('Top level post via BCC from a non follower, ignoring', ['uid' => $receiver, 'contact' => $item['contact-id']]); + continue; + } + if (DI::pConfig()->get($receiver, 'system', 'accept_only_sharer', false) && ($receiver != 0) && ($item['gravity'] == GRAVITY_PARENT)) { $skip = !Contact::isSharingByURL($activity['author'], $receiver); From 403cce25c47b7d48800b5cc6c6c6289d3022f750 Mon Sep 17 00:00:00 2001 From: Michael Date: Thu, 27 May 2021 04:00:38 +0000 Subject: [PATCH 2/2] Follower is sharer instead --- src/Protocol/ActivityPub/Processor.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Protocol/ActivityPub/Processor.php b/src/Protocol/ActivityPub/Processor.php index aba285c180..486fe6daae 100644 --- a/src/Protocol/ActivityPub/Processor.php +++ b/src/Protocol/ActivityPub/Processor.php @@ -604,7 +604,7 @@ class Processor if (!$item['isForum'] && ($receiver != 0) && ($item['gravity'] == GRAVITY_PARENT) && ($item['post-reason'] == Item::PR_BCC) && !Contact::isSharingByURL($activity['author'], $receiver)) { - Logger::info('Top level post via BCC from a non follower, ignoring', ['uid' => $receiver, 'contact' => $item['contact-id']]); + Logger::info('Top level post via BCC from a non sharer, ignoring', ['uid' => $receiver, 'contact' => $item['contact-id']]); continue; }