From b12c2d17d5346027201097072e7c9b21dc5a53d4 Mon Sep 17 00:00:00 2001
From: Diogo Cordeiro <diogo@fc.up.pt>
Date: Fri, 11 Oct 2019 17:41:41 +0100
Subject: [PATCH] [ActivityPub] Fix security issue concerning remote profile
 deletes Reported by kaniini

---
 plugins/ActivityPub/lib/inbox_handler.php | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/plugins/ActivityPub/lib/inbox_handler.php b/plugins/ActivityPub/lib/inbox_handler.php
index 3fe93d498e..1fea9577b7 100644
--- a/plugins/ActivityPub/lib/inbox_handler.php
+++ b/plugins/ActivityPub/lib/inbox_handler.php
@@ -224,7 +224,8 @@ class Activitypub_inbox_handler
      * Handles a Delete Activity received by our inbox.
      *
      * @throws NoProfileException
-     * @author Diogo Cordeiro <diogo@fc.up.pt>
+     * @throws Exception
+     * @author Bruno Casteleiro <brunoccast@fc.up.pt>
      */
     private function handle_delete()
     {
@@ -234,8 +235,8 @@ class Activitypub_inbox_handler
         }
 
         // profile deletion ?
-        $aprofile = Activitypub_explorer::get_aprofile_by_url($object);
-        if ($aprofile instanceof Activitypub_profile) {
+        if ($this->activity['actor'] == $object) {
+            $aprofile = Activitypub_profile::from_profile($this->actor);
             $this->handle_delete_profile($aprofile);
             return;
         }
@@ -248,7 +249,7 @@ class Activitypub_inbox_handler
             }
             return;
         } catch (Exception $e) {
-            // either already deleted or not a notice at all
+            // either already deleted or not an object at all
             // nothing to do..
         }