closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
Browse Source

Fix possible acct: uri usurpation in ActivityPub account discovery (#5208) 

Signed-off-by: Eugen Rochko <eugen@zeonfederated.com>
pull/4/head
Eugen Rochko 6 years ago
committed by GitHub
parent
dfaa219f88
commit
c743b5e1fd
1 changed files with 2 additions and 4 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +2
    -4
      app/services/activitypub/fetch_remote_account_service.rb

+ 2
- 4
app/services/activitypub/fetch_remote_account_service.rb View File

@ -30,14 +30,12 @@ class ActivityPub::FetchRemoteAccountService < BaseService
return true if @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero?
webfinger = Goldfinger.finger("acct:#{confirmed_username}@#{confirmed_domain}")
confirmed_username, confirmed_domain = split_acct(webfinger.subject)
@username, @domain = split_acct(webfinger.subject)
self_reference = webfinger.link('self')
return false unless @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero?
return false if self_reference&.href != @uri
@username = confirmed_username
@domain = confirmed_domain
true
rescue Goldfinger::Error
false

Write Preview
Loading…
Cancel
Save