Fix possible acct: uri usurpation in ActivityPub account discovery (#5208)

Signed-off-by: Eugen Rochko <eugen@zeonfederated.com>
master
Eugen Rochko 7 years ago committed by GitHub
parent dfaa219f88
commit c743b5e1fd
  1. 6
      app/services/activitypub/fetch_remote_account_service.rb

@ -30,14 +30,12 @@ class ActivityPub::FetchRemoteAccountService < BaseService
return true if @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero?
webfinger = Goldfinger.finger("acct:#{confirmed_username}@#{confirmed_domain}")
confirmed_username, confirmed_domain = split_acct(webfinger.subject)
@username, @domain = split_acct(webfinger.subject)
self_reference = webfinger.link('self')
return false unless @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero?
return false if self_reference&.href != @uri
@username = confirmed_username
@domain = confirmed_domain
true
rescue Goldfinger::Error
false

Loading…
Cancel
Save