From 1d47910d3b1a012504802cfc45a026e5c45d57a9 Mon Sep 17 00:00:00 2001 From: Eugen Date: Wed, 19 Apr 2017 17:28:35 +0200 Subject: Fix possibility of unrightful webfinger redirect (#2147) * Fix possibility of unrightful webfinger redirect * Add more tests for FollowRemoteAccountService --- app/services/follow_remote_account_service.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'app/services') diff --git a/app/services/follow_remote_account_service.rb b/app/services/follow_remote_account_service.rb index 14bc064d5..2d7414bc0 100644 --- a/app/services/follow_remote_account_service.rb +++ b/app/services/follow_remote_account_service.rb @@ -10,7 +10,7 @@ class FollowRemoteAccountService < BaseService # important information from their feed # @param [String] uri User URI in the form of username@domain # @return [Account] - def call(uri) + def call(uri, redirected = nil) username, domain = uri.split('@') return Account.find_local(username) if TagManager.instance.local_domain?(domain) @@ -24,8 +24,14 @@ class FollowRemoteAccountService < BaseService raise Goldfinger::Error, 'Missing resource links' if data.link('http://schemas.google.com/g/2010#updates-from').nil? || data.link('salmon').nil? || data.link('http://webfinger.net/rel/profile-page').nil? || data.link('magic-public-key').nil? + # Disallow account hijacking confirmed_username, confirmed_domain = data.subject.gsub(/\Aacct:/, '').split('@') + unless confirmed_username.casecmp(username).zero? && confirmed_domain.casecmp(domain).zero? + return call("#{confirmed_username}@#{confirmed_domain}", true) if redirected.nil? + raise Goldfinger::Error, 'Requested and returned acct URI do not match' + end + return Account.find_local(confirmed_username) if TagManager.instance.local_domain?(confirmed_domain) confirmed_account = Account.find_remote(confirmed_username, confirmed_domain) -- cgit