Unfloyded/Legamunt
0
0
Fork 0
Code Activity

Fix bad URL schemes being accepted (#6219)

Browse source 
* Fix actors accepting invalid URI schemes or different host between URI and URL

* Fix statuses accepting invalid URI scheme or different host to actor

* Adjust tests to new requirements

* Improve readability of mismatching_origin?/invalid_origin? methods
This commit is contained in:
Eugen Rochko 2018-01-08 05:00:23 +01:00 committed by GitHub
parent 93555182c3
commit e4a241abef
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 62 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

18
app/services/activitypub/process_account_service.rb
View file

@ -6,7 +6,7 @@ class ActivityPub::ProcessAccountService < BaseService
# Should be called with confirmed valid JSON
# and WebFinger-resolved username and domain
def call(username, domain, json)
return if json['inbox'].blank?
return if json['inbox'].blank? || unsupported_uri_scheme?(json['id'])
@json = json
@uri = @json['id']
@ -107,7 +107,21 @@ class ActivityPub::ProcessAccountService < BaseService
def url
return if @json['url'].blank?
url_to_href(@json['url'], 'text/html')
url_candidate = url_to_href(@json['url'], 'text/html')
if unsupported_uri_scheme?(url_candidate) || mismatching_origin?(url_candidate)
nil
else
url_candidate
end
end
def mismatching_origin?(url)
needle = Addressable::URI.parse(url).host
haystack = Addressable::URI.parse(@uri).host
!haystack.casecmp(needle).zero?
end
def outbox_total_items