[ActivityPub][NOTE] Do not extract actor from attributedTo

There was no checking of attributedTo, actors and referent object IDs to make
sure they exist in the same domain. Therefore, one could spoof messages from
people by doing attributedTo: whoever-i-want-to-spoof
This commit is contained in:
Diogo Cordeiro 2020-07-05 01:58:22 +01:00
parent fe4a9a6189
commit 4d171b27a4

View File

@ -123,7 +123,7 @@ class Activitypub_notice
* @throws Exception
* @author Diogo Cordeiro <diogo@fc.up.pt>
*/
public static function create_notice(array $object, Profile $actor_profile = null, bool $directMessage = false): Notice
public static function create_notice(array $object, Profile $actor_profile, bool $directMessage = false): Notice
{
$id = $object['id']; // int
$url = isset($object['url']) ? $object['url'] : $id; // string
@ -141,17 +141,6 @@ class Activitypub_notice
$settings['longitude'] = $object['longitude'];
}
// Ensure Actor Profile
if (is_null($actor_profile)) {
if (isset($object['attributedTo'])) {
$actor_profile = ActivityPub_explorer::get_profile_from_url($object['attributedTo']);
} elseif (isset($object['actor'])) {
$actor_profile = ActivityPub_explorer::get_profile_from_url($object['actor']);
} else {
throw new Exception("A notice can't be created without an actor.");
}
}
$act = new Activity();
$act->verb = ActivityVerb::POST;
$act->time = time();