Replace q() with DBA methods, fix code style

[friendica.git] / src / Protocol / ActivityPub / Receiver.php

diff --git a/src/Protocol/ActivityPub/Receiver.php b/src/Protocol/ActivityPub/Receiver.php
index 686ac8be327ecbe8f1235bf706e475c9a55fce10..7fe1f128f496b746efbed1bd24ccf854964913d6 100644 (file)
--- a/src/Protocol/ActivityPub/Receiver.php
+++ b/src/Protocol/ActivityPub/Receiver.php
@@ -309,6 +309,16 @@ class Receiver
 
                }
 
+               // Don't trust the source if "actor" differs from "attributedTo". The content could be forged.
+               if ($trust_source && ($type == 'as:Create') && is_array($activity['as:object'])) {
+                       $actor = JsonLD::fetchElement($activity, 'as:actor');
+                       $attributed_to = JsonLD::fetchElement($activity['as:object'], 'as:attributedTo');
+                       $trust_source = ($actor == $attributed_to);
+                       if (!$trust_source) {
+                               Logger::log('Not trusting actor: ' . $actor . '. It differs from attributedTo: ' . $attributed_to, Logger::DEBUG);
+                       }
+               }
+
                // $trust_source is called by reference and is set to true if the content was retrieved successfully
                $object_data = self::prepareObjectData($activity, $uid, $trust_source);
                if (empty($object_data)) {
@@ -589,6 +599,7 @@ class Receiver
                $photo = defaults($profile, 'photo', null);
                unset($profile['photo']);
                unset($profile['baseurl']);
+               unset($profile['guid']);
 
                $profile['nurl'] = Strings::normaliseLink($profile['url']);
                DBA::update('contact', $profile, ['id' => $cid]);