diff options
author | Eugen Rochko <eugen@zeonfederated.com> | 2017-10-04 00:33:56 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-10-04 00:33:56 +0200 |
commit | c743b5e1fdb938d52d8c023bb6ef1bf9b397226c (patch) | |
tree | bd179103fe9800e2823b46de81cbbb139a6efebf | |
parent | dfaa219f8820224d37cd060d253a507111c63460 (diff) |
Fix possible acct: uri usurpation in ActivityPub account discovery (#5208)
Signed-off-by: Eugen Rochko <eugen@zeonfederated.com>
-rw-r--r-- | app/services/activitypub/fetch_remote_account_service.rb | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/app/services/activitypub/fetch_remote_account_service.rb b/app/services/activitypub/fetch_remote_account_service.rb index 3eeca585e..cb6e40748 100644 --- a/app/services/activitypub/fetch_remote_account_service.rb +++ b/app/services/activitypub/fetch_remote_account_service.rb @@ -30,14 +30,12 @@ class ActivityPub::FetchRemoteAccountService < BaseService return true if @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero? webfinger = Goldfinger.finger("acct:#{confirmed_username}@#{confirmed_domain}") - confirmed_username, confirmed_domain = split_acct(webfinger.subject) + @username, @domain = split_acct(webfinger.subject) self_reference = webfinger.link('self') + return false unless @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero? return false if self_reference&.href != @uri - @username = confirmed_username - @domain = confirmed_domain - true rescue Goldfinger::Error false |