Fix possible acct: uri usurpation in ActivityPub account discovery (#5208)
Signed-off-by: Eugen Rochko <eugen@zeonfederated.com>
This commit is contained in:
parent
dfaa219f88
commit
c743b5e1fd
|
@ -30,14 +30,12 @@ class ActivityPub::FetchRemoteAccountService < BaseService
|
|||
return true if @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero?
|
||||
|
||||
webfinger = Goldfinger.finger("acct:#{confirmed_username}@#{confirmed_domain}")
|
||||
confirmed_username, confirmed_domain = split_acct(webfinger.subject)
|
||||
@username, @domain = split_acct(webfinger.subject)
|
||||
self_reference = webfinger.link('self')
|
||||
|
||||
return false unless @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero?
|
||||
return false if self_reference&.href != @uri
|
||||
|
||||
@username = confirmed_username
|
||||
@domain = confirmed_domain
|
||||
|
||||
true
|
||||
rescue Goldfinger::Error
|
||||
false
|
||||
|
|
Loading…
Reference in a new issue