diff options
| author | William Pitcock <nenolod@dereferenced.org> | 2018-08-29 08:51:51 +0000 |
|---|---|---|
| committer | William Pitcock <nenolod@dereferenced.org> | 2018-08-29 08:51:51 +0000 |
| commit | ded909120614e5b1fa1f9469c753a30b2d9b16ed (patch) | |
| tree | 57b0989bc1a5917d635ca2f4326ecd18a6fe715d /lib | |
| parent | 643fae6e36881b8883e247df28568e9b54e1b086 (diff) | |
| download | pleroma-ded909120614e5b1fa1f9469c753a30b2d9b16ed.tar.gz | |
mastodon api: use bounded AP object graph query to enforce containment of private statuses
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/pleroma/web/mastodon_api/mastodon_api_controller.ex | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex index f482de6fd..c90f9fa05 100644 --- a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex +++ b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex @@ -850,9 +850,14 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do |> Map.put("type", "Create") |> Map.put("blocking_user", user) - # adding title is a hack to not make empty lists function like a public timeline + # we must filter the following list for the user to avoid leaking statuses the user + # does not actually have permission to see (for more info, peruse security issue #270). + following_to = + following + |> Enum.filter(fn x -> x in user.following end) + activities = - ActivityPub.fetch_activities([title | following], params) + ActivityPub.fetch_activities_bounded(following_to, following, params) |> Enum.reverse() conn |