commit: db989d1fa4d83ba5d726807ff4707eb8cee5010d
parent: 6258ddaa607c5b103c65c7febbd9d200084ab67a
Author: kaniini <nenolod@gmail.com>
Date: Fri, 28 Sep 2018 00:14:53 +0000
Merge branch 'security/ap-unsigned-create' into 'develop'
activitypub inbox: only accept unsigned/invalid-signature relayed creates, nothing else
See merge request pleroma/pleroma!361
Diffstat:
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -93,19 +93,29 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
json(conn, "ok")
end
+ # only accept relayed Creates
+ def inbox(conn, %{"type" => "Create"} = params) do
+ Logger.info(
+ "Signature missing or not from author, relayed Create message, fetching object from source"
+ )
+
+ ActivityPub.fetch_object_from_id(params["object"]["id"])
+
+ json(conn, "ok")
+ end
+
def inbox(conn, params) do
headers = Enum.into(conn.req_headers, %{})
- if !String.contains?(headers["signature"] || "", params["actor"]) do
- Logger.info("Signature not from author, relayed message, fetching from source")
- ActivityPub.fetch_object_from_id(params["object"]["id"])
- else
- Logger.info("Signature error - make sure you are forwarding the HTTP Host header!")
- Logger.info("Could not validate #{params["actor"]}")
+ if String.contains?(headers["signature"], params["actor"]) do
+ Logger.info(
+ "Signature validation error for: #{params["actor"]}, make sure you are forwarding the HTTP Host header!"
+ )
+
Logger.info(inspect(conn.req_headers))
end
- json(conn, "ok")
+ json(conn, "error")
end
def relay(conn, params) do