Prevent ActivityPub movedTo recursion (#8092)

Fix #8051
6 years ago · cc94b1d95a
parent 2ccef52a4f
commit cc94b1d95a
2 changed files with 3 additions and 3 deletions
--- a/app/services/activitypub/fetch_remote_account_service.rb
+++ b/app/services/activitypub/fetch_remote_account_service.rb
@ -7,14 +7,14 @@ class ActivityPub::FetchRemoteAccountService < BaseService
  # Should be called when uri has already been checked for locality
  # Does a WebFinger roundtrip on each call
-  def call(uri, id: true, prefetched_body: nil)
+  def call(uri, id: true, prefetched_body: nil, break_on_redirect: false)
    @json = if prefetched_body.nil?
              fetch_resource(uri, id)
            else
              body_to_json(prefetched_body)
            end
-    return unless supported_context? && expected_type?
+    return if !supported_context? || !expected_type? || (break_on_redirect && @json['movedTo'].present?)
    @uri      = @json['id']
    @username = @json['preferredUsername']
--- a/app/services/activitypub/process_account_service.rb
+++ b/app/services/activitypub/process_account_service.rb
@ -175,7 +175,7 @@ class ActivityPub::ProcessAccountService < BaseService
  def moved_account
    account   = ActivityPub::TagManager.instance.uri_to_resource(@json['movedTo'], Account)
-    account ||= ActivityPub::FetchRemoteAccountService.new.call(@json['movedTo'], id: true)
+    account ||= ActivityPub::FetchRemoteAccountService.new.call(@json['movedTo'], id: true, break_on_redirect: true)
    account
  end