diff options
author | Eugen Rochko <eugen@zeonfederated.com> | 2017-04-27 17:06:47 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-04-27 17:06:47 +0200 |
commit | 2af4f3c4e22ab9a28a7fca49bee0ee2ed6256f27 (patch) | |
tree | 073f68695a0da1ee7dcf2f909a449b60286ad3f4 /app/services/process_feed_service.rb | |
parent | b8e7eee8372f927a5a3b51e95db3707d34c4ac4b (diff) |
Improve shared status verification (#2525)
* Instead of parsing shared status contents verbatim, make roundtrip to purported original URL. Confirm that the "original" URL is from the same domain as the author it claims to be from. * Fix obvious typo, add comment * Use URI look-up first * Add test, update Goldfinger dependency to make less useless HTTP requests per Webfinger lookup
Diffstat (limited to 'app/services/process_feed_service.rb')
-rw-r--r-- | app/services/process_feed_service.rb | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/app/services/process_feed_service.rb b/app/services/process_feed_service.rb index d002b9130..799a9f6e3 100644 --- a/app/services/process_feed_service.rb +++ b/app/services/process_feed_service.rb @@ -47,8 +47,8 @@ class ProcessFeedService < BaseService return status unless just_created if verb == :share - original_status, = status_from_xml(@xml.at_xpath('.//activity:object', activity: TagManager::AS_XMLNS)) - status.reblog = original_status + original_status = shared_status_from_xml(@xml.at_xpath('.//activity:object', activity: TagManager::AS_XMLNS)) + status.reblog = original_status if original_status.nil? status.destroy @@ -90,6 +90,14 @@ class ProcessFeedService < BaseService !([:post, :share, :delete].include?(verb) && [:activity, :note, :comment].include?(type)) end + def shared_status_from_xml(entry) + status = find_status(id(entry)) + + return status unless status.nil? + + FetchRemoteStatusService.new.call(url(entry)) + end + def status_from_xml(entry) # Return early if status already exists in db status = find_status(id(entry)) |