activitypub: fix possibility of spoofing by containing remote objects to the same domain as their actor
This commit is contained in:
parent
2e2f458705
commit
0b2c051a04
@ -747,6 +747,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
|
||||
"actor" => data["attributedTo"],
|
||||
"object" => data
|
||||
},
|
||||
:ok <- Transmogrifier.contain_origin(id, params),
|
||||
{:ok, activity} <- Transmogrifier.handle_incoming(params) do
|
||||
{:ok, Object.normalize(activity.data["object"])}
|
||||
else
|
||||
|
@ -31,6 +31,20 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
|
||||
end
|
||||
|
||||
@doc """
|
||||
Checks that an imported AP object's actor matches the domain it came from.
|
||||
"""
|
||||
def contain_origin(id, %{"actor" => actor}) do
|
||||
id_uri = URI.parse(id)
|
||||
actor_uri = URI.parse(actor)
|
||||
|
||||
if id_uri.host == actor_uri.host do
|
||||
:ok
|
||||
else
|
||||
:error
|
||||
end
|
||||
end
|
||||
|
||||
@doc """
|
||||
Modifies an incoming AP object (mastodon format) to our internal format.
|
||||
"""
|
||||
def fix_object(object) do
|
||||
|
Loading…
Reference in New Issue
Block a user