vbatts/mastodon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fix possible acct: uri usurpation in ActivityPub account discovery (#5208)

Browse source 
Signed-off-by: Eugen Rochko <eugen@zeonfederated.com>
This commit is contained in:
Eugen Rochko 2017-10-04 00:33:56 +02:00 committed by GitHub
parent dfaa219f88
commit c743b5e1fd
1 changed files with 2 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
app/services/activitypub/fetch_remote_account_service.rb
View file

@ -30,14 +30,12 @@ class ActivityPub::FetchRemoteAccountService < BaseService
return true if @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero?
webfinger = Goldfinger.finger("acct:#{confirmed_username}@#{confirmed_domain}")
confirmed_username, confirmed_domain = split_acct(webfinger.subject)
@username, @domain = split_acct(webfinger.subject)
self_reference = webfinger.link('self')
return false unless @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero?
return false if self_reference&.href != @uri
@username = confirmed_username
@domain = confirmed_domain
true
rescue Goldfinger::Error
false