There was no checking of attributedTo, actors and referent object IDs to make sure they exist in the same domain. Therefore, one could spoof messages from people by doing attributedTo: whoever-i-want-to-spoof |
||
---|---|---|
.. | ||
models | ||
Activitypub_activityverb2.php | ||
activitypubqueuehandler.php | ||
discoveryhints.php | ||
explorer.php | ||
httpsignature.php | ||
inbox_handler.php | ||
postman.php |