From 64108aa51d6adcce14efab92d740ef07321bf20c Mon Sep 17 00:00:00 2001 From: Diogo Cordeiro Date: Sun, 5 Jul 2020 01:58:22 +0100 Subject: [PATCH] [ActivityPub][NOTE] Do not extract actor from attributedTo There was no checking of attributedTo, actors and referent object IDs to make sure they exist in the same domain. Therefore, one could spoof messages from people by doing attributedTo: whoever-i-want-to-spoof --- .../ActivityPub/lib/models/Activitypub_notice.php | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/plugins/ActivityPub/lib/models/Activitypub_notice.php b/plugins/ActivityPub/lib/models/Activitypub_notice.php index f799e55656..e827def89d 100644 --- a/plugins/ActivityPub/lib/models/Activitypub_notice.php +++ b/plugins/ActivityPub/lib/models/Activitypub_notice.php @@ -123,7 +123,7 @@ class Activitypub_notice * @throws Exception * @author Diogo Cordeiro */ - public static function create_notice(array $object, Profile $actor_profile = null, bool $directMessage = false): Notice + public static function create_notice(array $object, Profile $actor_profile, bool $directMessage = false): Notice { $id = $object['id']; // int $url = isset($object['url']) ? $object['url'] : $id; // string @@ -141,17 +141,6 @@ class Activitypub_notice $settings['longitude'] = $object['longitude']; } - // Ensure Actor Profile - if (is_null($actor_profile)) { - if (isset($object['attributedTo'])) { - $actor_profile = ActivityPub_explorer::get_profile_from_url($object['attributedTo']); - } elseif (isset($object['actor'])) { - $actor_profile = ActivityPub_explorer::get_profile_from_url($object['actor']); - } else { - throw new Exception("A notice can't be created without an actor."); - } - } - $act = new Activity(); $act->verb = ActivityVerb::POST; $act->time = time();