From b4b5d3e009a65e829e64c27ce1a313a0d879c0af Mon Sep 17 00:00:00 2001 From: tenma Date: Thu, 8 Aug 2019 17:21:56 +0100 Subject: [PATCH] [ActivityPub] Fix handling of Delete Activity inbox_handler: - Call stronger validation method for Delete Activity objects - Take into account mixed object in handle_delete Activitypub_delete: - Add validation method for Delete Activity objects --- .../classes/Activitypub_delete.php | 35 +++++++++++++++++-- plugins/ActivityPub/lib/inbox_handler.php | 10 ++++-- 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/plugins/ActivityPub/classes/Activitypub_delete.php b/plugins/ActivityPub/classes/Activitypub_delete.php index b0d0b3a736..74bab42f0d 100644 --- a/plugins/ActivityPub/classes/Activitypub_delete.php +++ b/plugins/ActivityPub/classes/Activitypub_delete.php @@ -39,12 +39,12 @@ class Activitypub_delete extends Managed_DataObject /** * Generates an ActivityPub representation of a Delete * - * @param $actor - * @param array $object + * @param string $actor actor URI + * @param string $object object URI * @return array pretty array to be used in a response * @author Diogo Cordeiro */ - public static function delete_to_array($actor, $object) + public static function delete_to_array(string $actor, string $object): array { $res = [ '@context' => 'https://www.w3.org/ns/activitystreams', @@ -55,4 +55,33 @@ class Activitypub_delete extends Managed_DataObject ]; return $res; } + + /** + * Verifies if a given object is acceptable for a Delete Activity. + * + * @param array|string $object + * @return bool + * @throws Exception + * @author Bruno Casteleiro + */ + public static function validate_object($object): bool + { + if (!is_array($object)) { + if (!filter_var($object, FILTER_VALIDATE_URL)) { + throw new Exception('Object is not a valid Object URI for Activity.'); + } + } else { + if (!isset($object['type'])) { + throw new Exception('Object type was not specified for Delete Activity.'); + } else if ($object['type'] !== "Tombstone") { + throw new Exception('Invalid Object type for Delete Activity.'); + } + + if (!isset($object['id'])) { + throw new Exception('Object id was not specified for Delete Activity.'); + } + } + + return true; + } } diff --git a/plugins/ActivityPub/lib/inbox_handler.php b/plugins/ActivityPub/lib/inbox_handler.php index 4207dbc853..41956dd50e 100644 --- a/plugins/ActivityPub/lib/inbox_handler.php +++ b/plugins/ActivityPub/lib/inbox_handler.php @@ -96,6 +96,8 @@ class Activitypub_inbox_handler Activitypub_create::validate_object($this->object); break; case 'Delete': + Activitypub_delete::validate_object($this->object); + break; case 'Follow': case 'Like': case 'Announce': @@ -207,12 +209,16 @@ class Activitypub_inbox_handler * Handles a Delete Activity received by our inbox. * * @param Profile $actor Actor - * @param array $object Activity + * @param array|string $object Activity's object * @throws AuthorizationException * @author Diogo Cordeiro */ - private function handle_delete($actor, $object) + private function handle_delete(Profile $actor, $object) { + if (is_array($object)) { + $object = $object['id']; + } + // some moderator could already have deleted the // notice, so we test it first try {