Fix possible acct: uri usurpation in ActivityPub account discovery (#5208)

Signed-off-by: Eugen Rochko <eugen@zeonfederated.com>
7 years ago · c743b5e1fd
parent dfaa219f88
commit c743b5e1fd
1 changed files with 2 additions and 4 deletions
--- a/app/services/activitypub/fetch_remote_account_service.rb
+++ b/app/services/activitypub/fetch_remote_account_service.rb
@ -30,14 +30,12 @@ class ActivityPub::FetchRemoteAccountService < BaseService
    return true if @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero?

    webfinger                            = Goldfinger.finger("acct:#{confirmed_username}@#{confirmed_domain}")
-    confirmed_username, confirmed_domain = split_acct(webfinger.subject)
+    @username, @domain                   = split_acct(webfinger.subject)
    self_reference                       = webfinger.link('self')

+    return false unless @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero?
    return false if self_reference&.href != @uri

-    @username = confirmed_username
-    @domain   = confirmed_domain
-
    true
  rescue Goldfinger::Error
    false