diff options
| author | kaniini <nenolod@gmail.com> | 2018-09-28 00:14:53 +0000 |
|---|---|---|
| committer | kaniini <nenolod@gmail.com> | 2018-09-28 00:14:53 +0000 |
| commit | db989d1fa4d83ba5d726807ff4707eb8cee5010d (patch) | |
| tree | b7561b7a0db5d2e10a765e0ac7371a3a3519ccfb | |
| parent | 6258ddaa607c5b103c65c7febbd9d200084ab67a (diff) | |
| parent | 5c312ad677ffd0b622aea61efa50eae68efbecf8 (diff) | |
| download | pleroma-db989d1fa4d83ba5d726807ff4707eb8cee5010d.tar.gz | |
Merge branch 'security/ap-unsigned-create' into 'develop'
activitypub inbox: only accept unsigned/invalid-signature relayed creates, nothing else
See merge request pleroma/pleroma!361
| -rw-r--r-- | lib/pleroma/web/activity_pub/activity_pub_controller.ex | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex index 52b2a467e..2750add8b 100644 --- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex +++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex @@ -93,19 +93,29 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do json(conn, "ok") end + # only accept relayed Creates + def inbox(conn, %{"type" => "Create"} = params) do + Logger.info( + "Signature missing or not from author, relayed Create message, fetching object from source" + ) + + ActivityPub.fetch_object_from_id(params["object"]["id"]) + + json(conn, "ok") + end + def inbox(conn, params) do headers = Enum.into(conn.req_headers, %{}) - if !String.contains?(headers["signature"] || "", params["actor"]) do - Logger.info("Signature not from author, relayed message, fetching from source") - ActivityPub.fetch_object_from_id(params["object"]["id"]) - else - Logger.info("Signature error - make sure you are forwarding the HTTP Host header!") - Logger.info("Could not validate #{params["actor"]}") + if String.contains?(headers["signature"], params["actor"]) do + Logger.info( + "Signature validation error for: #{params["actor"]}, make sure you are forwarding the HTTP Host header!" + ) + Logger.info(inspect(conn.req_headers)) end - json(conn, "ok") + json(conn, "error") end def relay(conn, params) do |