MastodonAPI.StatusView: Do not use site_name

site_name allow to spoof the origin of the domain and so hacks like:

<!-- served on https://hacktivis.me/tmp/joinmastodon.org.html -->
<meta property="og:image" content="https://hacktivis.me/datalove/img/meme/pleroma/mastodon%2C%20forbidden%20amuse%20yourself.jpeg" />
<meta property="og:title" content="Mastodon: Forbidden Amuse Yourself" />
<meta property="og:site_name" content="joinmastodon.org" />
<meta http-equiv="refresh" content="0; url=http://joinmastodon.org/">
This commit is contained in:
Haelwenn (lanodan) Monnier 2020-02-15 00:35:46 +01:00
parent 5fcee577f9
commit 1257331291
No known key found for this signature in database
GPG key ID: D5B7A8E43C997DEE
2 changed files with 3 additions and 5 deletions

View file

@ -321,11 +321,9 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
nil
end
site_name = rich_media[:site_name] || page_url_data.host
%{
type: "link",
provider_name: site_name,
provider_name: page_url_data.host,
provider_url: page_url_data.scheme <> "://" <> page_url_data.host,
url: page_url,
image: image_url |> MediaProxy.url(),

View file

@ -491,7 +491,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusViewTest do
title: "Example website"
}
%{provider_name: "Example site name"} =
%{provider_name: "example.com"} =
StatusView.render("card.json", %{page_url: page_url, rich_media: card})
end
@ -506,7 +506,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusViewTest do
description: "Example description"
}
%{provider_name: "Example site name"} =
%{provider_name: "example.com"} =
StatusView.render("card.json", %{page_url: page_url, rich_media: card})
end
end