Unfloyded/Legamunt
0
0
Fork 0
Code Activity

Improve federated ID validation (#8372)

Browse source 
* Fix URI not being sufficiently validated with prefetched JSON

* Add additional id validation to OStatus documents, when possible
This commit is contained in:
Eugen Rochko 2018-08-22 20:55:14 +02:00 committed by GitHub
parent ad41806e53
commit 802cf6a4c5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 122 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

7
app/services/fetch_remote_account_service.rb
View file

@ -27,7 +27,7 @@ class FetchRemoteAccountService < BaseService
account = author_from_xml(xml.at_xpath('/xmlns:feed', xmlns: OStatus::TagManager::XMLNS), false)
UpdateRemoteProfileService.new.call(xml, account) unless account.nil?
UpdateRemoteProfileService.new.call(xml, account) if account.present? && trusted_domain?(url, account)
account
rescue TypeError
@ -37,4 +37,9 @@ class FetchRemoteAccountService < BaseService
Rails.logger.debug 'Invalid XML or missing namespace'
nil
end
def trusted_domain?(url, account)
domain = Addressable::URI.parse(url).normalized_host
domain.casecmp(account.domain).zero? || domain.casecmp(Addressable::URI.parse(account.remote_url.presence || account.uri).normalized_host).zero?
end
end