[ActivityPub][NOTE] Do not extract actor from attributedTo

There was no checking of attributedTo, actors and referent object IDs to make
sure they exist in the same domain. Therefore, one could spoof messages from
people by doing attributedTo: whoever-i-want-to-spoof
This commit is contained in:
Diogo Cordeiro 2020-07-05 01:58:22 +01:00 committed by Diogo Peralta Cordeiro
parent 9f4c4edb02
commit 64108aa51d

View File

@ -123,7 +123,7 @@ class Activitypub_notice
* @throws Exception
* @author Diogo Cordeiro <diogo@fc.up.pt>
*/
public static function create_notice(array $object, Profile $actor_profile = null, bool $directMessage = false): Notice
public static function create_notice(array $object, Profile $actor_profile, bool $directMessage = false): Notice
{
$id = $object['id']; // int
$url = isset($object['url']) ? $object['url'] : $id; // string
@ -141,17 +141,6 @@ class Activitypub_notice
$settings['longitude'] = $object['longitude'];
}
// Ensure Actor Profile
if (is_null($actor_profile)) {
if (isset($object['attributedTo'])) {
$actor_profile = ActivityPub_explorer::get_profile_from_url($object['attributedTo']);
} elseif (isset($object['actor'])) {
$actor_profile = ActivityPub_explorer::get_profile_from_url($object['actor']);
} else {
throw new Exception("A notice can't be created without an actor.");
}
}
$act = new Activity();
$act->verb = ActivityVerb::POST;
$act->time = time();