Merge pull request #6176 from annando/ap-security

AP: Security check against forged "create" activities
This commit is contained in:
Tobias Diekershoff 2018-11-21 18:10:45 +01:00 committed by GitHub
commit cf1c63fcc2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -309,6 +309,16 @@ class Receiver
} }
// Don't trust the source if "actor" differs from "attributedTo". The content could be forged.
if ($trust_source && ($type == 'as:Create') && is_array($activity['as:object'])) {
$actor = JsonLD::fetchElement($activity, 'as:actor');
$attributed_to = JsonLD::fetchElement($activity['as:object'], 'as:attributedTo');
$trust_source = ($actor == $attributed_to);
if (!$trust_source) {
Logger::log('Not trusting actor: ' . $actor . '. It differs from attributedTo: ' . $attributed_to, Logger::DEBUG);
}
}
// $trust_source is called by reference and is set to true if the content was retrieved successfully // $trust_source is called by reference and is set to true if the content was retrieved successfully
$object_data = self::prepareObjectData($activity, $uid, $trust_source); $object_data = self::prepareObjectData($activity, $uid, $trust_source);
if (empty($object_data)) { if (empty($object_data)) {