GNUsocial
/
gnu-social
4
0
Fork 1
Code Issues Releases Wiki Activity

[ActivityPub][NOTE] Do not extract actor from attributedTo 

There was no checking of attributedTo, actors and referent object IDs to make
sure they exist in the same domain. Therefore, one could spoof messages from
people by doing attributedTo: whoever-i-want-to-spoof
This commit is contained in:
Diogo Cordeiro 2020-07-05 01:58:22 +01:00
parent fe4a9a6189
commit 4d171b27a4
1 changed files with 1 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
plugins/ActivityPub/lib/models/Activitypub_notice.php
View File

@ -123,7 +123,7 @@ class Activitypub_notice
* @throws Exception
* @author Diogo Cordeiro <diogo@fc.up.pt>
*/
public static function create_notice(array $object, Profile $actor_profile = null, bool $directMessage = false): Notice
public static function create_notice(array $object, Profile $actor_profile, bool $directMessage = false): Notice
{
$id = $object['id']; // int
$url = isset($object['url']) ? $object['url'] : $id; // string
@ -141,17 +141,6 @@ class Activitypub_notice
$settings['longitude'] = $object['longitude'];
}
// Ensure Actor Profile
if (is_null($actor_profile)) {
if (isset($object['attributedTo'])) {
$actor_profile = ActivityPub_explorer::get_profile_from_url($object['attributedTo']);
} elseif (isset($object['actor'])) {
$actor_profile = ActivityPub_explorer::get_profile_from_url($object['actor']);
} else {
throw new Exception("A notice can't be created without an actor.");
}
}
$act = new Activity();
$act->verb = ActivityVerb::POST;
$act->time = time();