Merge pull request #6176 from annando/ap-security
AP: Security check against forged "create" activities
This commit is contained in:
commit
cf1c63fcc2
|
@ -309,6 +309,16 @@ class Receiver
|
|||
|
||||
}
|
||||
|
||||
// Don't trust the source if "actor" differs from "attributedTo". The content could be forged.
|
||||
if ($trust_source && ($type == 'as:Create') && is_array($activity['as:object'])) {
|
||||
$actor = JsonLD::fetchElement($activity, 'as:actor');
|
||||
$attributed_to = JsonLD::fetchElement($activity['as:object'], 'as:attributedTo');
|
||||
$trust_source = ($actor == $attributed_to);
|
||||
if (!$trust_source) {
|
||||
Logger::log('Not trusting actor: ' . $actor . '. It differs from attributedTo: ' . $attributed_to, Logger::DEBUG);
|
||||
}
|
||||
}
|
||||
|
||||
// $trust_source is called by reference and is set to true if the content was retrieved successfully
|
||||
$object_data = self::prepareObjectData($activity, $uid, $trust_source);
|
||||
if (empty($object_data)) {
|
||||
|
|
Loading…
Reference in New Issue
Block a user