From 4d171b27a4f8422a7a3964fe809b931cec1b1a5d Mon Sep 17 00:00:00 2001 From: Diogo Cordeiro Date: Sun, 5 Jul 2020 01:58:22 +0100 Subject: [PATCH] [ActivityPub][NOTE] Do not extract actor from attributedTo There was no checking of attributedTo, actors and referent object IDs to make sure they exist in the same domain. Therefore, one could spoof messages from people by doing attributedTo: whoever-i-want-to-spoof --- .../ActivityPub/lib/models/Activitypub_notice.php | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/plugins/ActivityPub/lib/models/Activitypub_notice.php b/plugins/ActivityPub/lib/models/Activitypub_notice.php index f799e55656..e827def89d 100644 --- a/plugins/ActivityPub/lib/models/Activitypub_notice.php +++ b/plugins/ActivityPub/lib/models/Activitypub_notice.php @@ -123,7 +123,7 @@ class Activitypub_notice * @throws Exception * @author Diogo Cordeiro */ - public static function create_notice(array $object, Profile $actor_profile = null, bool $directMessage = false): Notice + public static function create_notice(array $object, Profile $actor_profile, bool $directMessage = false): Notice { $id = $object['id']; // int $url = isset($object['url']) ? $object['url'] : $id; // string @@ -141,17 +141,6 @@ class Activitypub_notice $settings['longitude'] = $object['longitude']; } - // Ensure Actor Profile - if (is_null($actor_profile)) { - if (isset($object['attributedTo'])) { - $actor_profile = ActivityPub_explorer::get_profile_from_url($object['attributedTo']); - } elseif (isset($object['actor'])) { - $actor_profile = ActivityPub_explorer::get_profile_from_url($object['actor']); - } else { - throw new Exception("A notice can't be created without an actor."); - } - } - $act = new Activity(); $act->verb = ActivityVerb::POST; $act->time = time();