[ActivityPub][NOTE] Do not extract actor from attributedTo
There was no checking of attributedTo, actors and referent object IDs to make sure they exist in the same domain. Therefore, one could spoof messages from people by doing attributedTo: whoever-i-want-to-spoof
This commit is contained in:
parent
9f4c4edb02
commit
64108aa51d
|
@ -123,7 +123,7 @@ class Activitypub_notice
|
||||||
* @throws Exception
|
* @throws Exception
|
||||||
* @author Diogo Cordeiro <diogo@fc.up.pt>
|
* @author Diogo Cordeiro <diogo@fc.up.pt>
|
||||||
*/
|
*/
|
||||||
public static function create_notice(array $object, Profile $actor_profile = null, bool $directMessage = false): Notice
|
public static function create_notice(array $object, Profile $actor_profile, bool $directMessage = false): Notice
|
||||||
{
|
{
|
||||||
$id = $object['id']; // int
|
$id = $object['id']; // int
|
||||||
$url = isset($object['url']) ? $object['url'] : $id; // string
|
$url = isset($object['url']) ? $object['url'] : $id; // string
|
||||||
|
@ -141,17 +141,6 @@ class Activitypub_notice
|
||||||
$settings['longitude'] = $object['longitude'];
|
$settings['longitude'] = $object['longitude'];
|
||||||
}
|
}
|
||||||
|
|
||||||
// Ensure Actor Profile
|
|
||||||
if (is_null($actor_profile)) {
|
|
||||||
if (isset($object['attributedTo'])) {
|
|
||||||
$actor_profile = ActivityPub_explorer::get_profile_from_url($object['attributedTo']);
|
|
||||||
} elseif (isset($object['actor'])) {
|
|
||||||
$actor_profile = ActivityPub_explorer::get_profile_from_url($object['actor']);
|
|
||||||
} else {
|
|
||||||
throw new Exception("A notice can't be created without an actor.");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
$act = new Activity();
|
$act = new Activity();
|
||||||
$act->verb = ActivityVerb::POST;
|
$act->verb = ActivityVerb::POST;
|
||||||
$act->time = time();
|
$act->time = time();
|
||||||
|
|
Loading…
Reference in New Issue
Block a user