forked from GNUsocial/gnu-social
[ActivityPub][NOTE] Do not extract actor from attributedTo
There was no checking of attributedTo, actors and referent object IDs to make sure they exist in the same domain. Therefore, one could spoof messages from people by doing attributedTo: whoever-i-want-to-spoof
This commit is contained in:
parent
fe4a9a6189
commit
4d171b27a4
@ -123,7 +123,7 @@ class Activitypub_notice
|
|||||||
* @throws Exception
|
* @throws Exception
|
||||||
* @author Diogo Cordeiro <diogo@fc.up.pt>
|
* @author Diogo Cordeiro <diogo@fc.up.pt>
|
||||||
*/
|
*/
|
||||||
public static function create_notice(array $object, Profile $actor_profile = null, bool $directMessage = false): Notice
|
public static function create_notice(array $object, Profile $actor_profile, bool $directMessage = false): Notice
|
||||||
{
|
{
|
||||||
$id = $object['id']; // int
|
$id = $object['id']; // int
|
||||||
$url = isset($object['url']) ? $object['url'] : $id; // string
|
$url = isset($object['url']) ? $object['url'] : $id; // string
|
||||||
@ -141,17 +141,6 @@ class Activitypub_notice
|
|||||||
$settings['longitude'] = $object['longitude'];
|
$settings['longitude'] = $object['longitude'];
|
||||||
}
|
}
|
||||||
|
|
||||||
// Ensure Actor Profile
|
|
||||||
if (is_null($actor_profile)) {
|
|
||||||
if (isset($object['attributedTo'])) {
|
|
||||||
$actor_profile = ActivityPub_explorer::get_profile_from_url($object['attributedTo']);
|
|
||||||
} elseif (isset($object['actor'])) {
|
|
||||||
$actor_profile = ActivityPub_explorer::get_profile_from_url($object['actor']);
|
|
||||||
} else {
|
|
||||||
throw new Exception("A notice can't be created without an actor.");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
$act = new Activity();
|
$act = new Activity();
|
||||||
$act->verb = ActivityVerb::POST;
|
$act->verb = ActivityVerb::POST;
|
||||||
$act->time = time();
|
$act->time = time();
|
||||||
|
Loading…
Reference in New Issue
Block a user