wamo/gnu-social
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[ActivityPub] Fix security issue concerning remote profile deletes

Browse Source 
Reported by kaniini
This commit is contained in:
Diogo Cordeiro 2019-10-11 17:41:41 +01:00 committed by Diogo Peralta Cordeiro
parent 48eee0e018
commit b7ce5b91a4
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
plugins/ActivityPub/lib/inbox_handler.php
View File

@ -224,7 +224,8 @@ class Activitypub_inbox_handler
* Handles a Delete Activity received by our inbox. * Handles a Delete Activity received by our inbox.
* *
* @throws NoProfileException * @throws NoProfileException
* @author Diogo Cordeiro <diogo@fc.up.pt> * @throws Exception
* @author Bruno Casteleiro <brunoccast@fc.up.pt>
*/ */
private function handle_delete() private function handle_delete()
{ {
@ -234,8 +235,8 @@ class Activitypub_inbox_handler
} }
// profile deletion ? // profile deletion ?
$aprofile = Activitypub_explorer::get_aprofile_by_url($object); if ($this->activity['actor'] == $object) {
if ($aprofile instanceof Activitypub_profile) { $aprofile = Activitypub_profile::from_profile($this->actor);
$this->handle_delete_profile($aprofile); $this->handle_delete_profile($aprofile);
return; return;
} }
@ -248,7 +249,7 @@ class Activitypub_inbox_handler
} }
return; return;
} catch (Exception $e) { } catch (Exception $e) {
// either already deleted or not a notice at all // either already deleted or not an object at all
// nothing to do.. // nothing to do..
} }