From 59763ceecb33ebf842829cac15f922fa19047de2 Mon Sep 17 00:00:00 2001 From: Mikael Nordfeldth Date: Tue, 17 Feb 2015 17:35:45 +0100 Subject: [PATCH] SalmonAction now updates remote URI if it was stale. After doublechecking two identities so that they match (like one that was previously http:// but now is https://) we update the URI in our database to match. This has to be verified so it's not easy to fool our script and thus make us replace legitimate URIs with fake ones. I believe the callback method is safe, but I'm not sure how well it handles HTTP MITM attacks etc. --- plugins/OStatus/lib/salmonaction.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/plugins/OStatus/lib/salmonaction.php b/plugins/OStatus/lib/salmonaction.php index 5e7d8f35a3..365f2c829c 100644 --- a/plugins/OStatus/lib/salmonaction.php +++ b/plugins/OStatus/lib/salmonaction.php @@ -245,7 +245,12 @@ class SalmonAction extends Action // Step 4: Is the newly introduced https://example.com/user/1 URI in the list of aliases // presented by http://example.com/user/1 (i.e. do they both say they are the same identity?) if (in_array($e->object_uri, $doublecheck_aliases)) { - common_debug('These identities both say they are each other: "'.$aliased_uri.'" and "'.$e->object_uri); + common_debug('URIFIX These identities both say they are each other: "'.$aliased_uri.'" and "'.$e->object_uri.'"'); + $orig = clone($oprofile); + $oprofile->uri = $e->object_uri; + common_debug('URIFIX Updating Ostatus_profile URI for '.$aliased_uri.' to '.$oprofile->uri); + $oprofile->updateWithKeys($orig); + unset($orig); $this->oprofile = $oprofile; break; // don't iterate through aliases anymore }