diff options
| author | kaniini <nenolod@gmail.com> | 2018-08-23 01:39:08 +0000 |
|---|---|---|
| committer | kaniini <nenolod@gmail.com> | 2018-08-23 01:39:08 +0000 |
| commit | e416469a409e6ff4bea84da40a5af43fe532a2ce (patch) | |
| tree | 764724db262d18b4ca9b5f58e0ea4776861bb9e9 /lib | |
| parent | 643f373514081864814930807432dc0740694c69 (diff) | |
| parent | a909fe45a6d680cc5a069cc7c340818ecbca54dc (diff) | |
| download | pleroma-e416469a409e6ff4bea84da40a5af43fe532a2ce.tar.gz | |
Merge branch 'security/activitypub-reject-bogus-ids' into 'develop'
security: activitypub: reject activities with bogus ids
See merge request pleroma/pleroma!286
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/pleroma/web/activity_pub/transmogrifier.ex | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/pleroma/web/activity_pub/transmogrifier.ex b/lib/pleroma/web/activity_pub/transmogrifier.ex index 5e07d5ea9..1367bc7e3 100644 --- a/lib/pleroma/web/activity_pub/transmogrifier.ex +++ b/lib/pleroma/web/activity_pub/transmogrifier.ex @@ -177,6 +177,12 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do def fix_content_map(object), do: object + # disallow objects with bogus IDs + def handle_incoming(%{"id" => nil}), do: :error + def handle_incoming(%{"id" => ""}), do: :error + # length of https:// = 8, should validate better, but good enough for now. + def handle_incoming(%{"id" => id}) when not (is_binary(id) and length(id) > 8), do: :error + # TODO: validate those with a Ecto scheme # - tags # - emoji |