diff options
| author | rinpatch <rinpatch@sdf.org> | 2020-11-03 13:59:18 +0000 |
|---|---|---|
| committer | rinpatch <rinpatch@sdf.org> | 2020-11-05 16:32:54 +0300 |
| commit | 5116859f0e53a5b79a01f764fa3baf4c2110df1b (patch) | |
| tree | a632077c2e8a72decbbcad50b103766fba666218 /lib | |
| parent | 4d693b5e54b46c8863c463503d270a0d61d79c37 (diff) | |
| download | pleroma-5116859f0e53a5b79a01f764fa3baf4c2110df1b.tar.gz | |
Merge branch 'fix/object-attachment-spoof' into 'develop'
Fix object spoofing vulnerability in attachments
See merge request pleroma/secteam/pleroma!18
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/pleroma/object/fetcher.ex | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/lib/pleroma/object/fetcher.ex b/lib/pleroma/object/fetcher.ex index 169298b34..ae4301738 100644 --- a/lib/pleroma/object/fetcher.ex +++ b/lib/pleroma/object/fetcher.ex @@ -232,8 +232,24 @@ defmodule Pleroma.Object.Fetcher do |> sign_fetch(id, date) case HTTP.get(id, headers) do - {:ok, %{body: body, status: code}} when code in 200..299 -> - {:ok, body} + {:ok, %{body: body, status: code, headers: headers}} when code in 200..299 -> + case List.keyfind(headers, "content-type", 0) do + {_, content_type} -> + case Plug.Conn.Utils.media_type(content_type) do + {:ok, "application", "activity+json", _} -> + {:ok, body} + + {:ok, "application", "ld+json", + %{"profile" => "https://www.w3.org/ns/activitystreams"}} -> + {:ok, body} + + _ -> + {:error, {:content_type, content_type}} + end + + _ -> + {:error, {:content_type, nil}} + end {:ok, %{status: code}} when code in [404, 410] -> {:error, "Object has been deleted"} |