Fix possible acct: uri usurpation in ActivityPub account discovery (#5208)

Signed-off-by: Eugen Rochko <eugen@zeonfederated.com>
This commit is contained in:
Eugen Rochko 2017-10-04 00:33:56 +02:00 committed by GitHub
parent dfaa219f88
commit c743b5e1fd

View file

@ -30,14 +30,12 @@ class ActivityPub::FetchRemoteAccountService < BaseService
return true if @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero?
webfinger = Goldfinger.finger("acct:#{confirmed_username}@#{confirmed_domain}")
confirmed_username, confirmed_domain = split_acct(webfinger.subject)
@username, @domain = split_acct(webfinger.subject)
self_reference = webfinger.link('self')
return false unless @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero?
return false if self_reference&.href != @uri
@username = confirmed_username
@domain = confirmed_domain
true
rescue Goldfinger::Error
false