X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=src%2FProtocol%2FActivityPub%2FReceiver.php;h=7fe1f128f496b746efbed1bd24ccf854964913d6;hb=5abc22f6c536b4fea7a5becd53561959ba0e7512;hp=686ac8be327ecbe8f1235bf706e475c9a55fce10;hpb=d4a02dc31408210ab9f67ecac1948dc22b95b8da;p=friendica.git

diff --git a/src/Protocol/ActivityPub/Receiver.php b/src/Protocol/ActivityPub/Receiver.php
index 686ac8be32..7fe1f128f4 100644
--- a/src/Protocol/ActivityPub/Receiver.php
+++ b/src/Protocol/ActivityPub/Receiver.php
@@ -309,6 +309,16 @@ class Receiver
 
 		}
 
+		// Don't trust the source if "actor" differs from "attributedTo". The content could be forged.
+		if ($trust_source && ($type == 'as:Create') && is_array($activity['as:object'])) {
+			$actor = JsonLD::fetchElement($activity, 'as:actor');
+			$attributed_to = JsonLD::fetchElement($activity['as:object'], 'as:attributedTo');
+			$trust_source = ($actor == $attributed_to);
+			if (!$trust_source) {
+				Logger::log('Not trusting actor: ' . $actor . '. It differs from attributedTo: ' . $attributed_to, Logger::DEBUG);
+			}
+		}
+
 		// $trust_source is called by reference and is set to true if the content was retrieved successfully
 		$object_data = self::prepareObjectData($activity, $uid, $trust_source);
 		if (empty($object_data)) {
@@ -589,6 +599,7 @@ class Receiver
 		$photo = defaults($profile, 'photo', null);
 		unset($profile['photo']);
 		unset($profile['baseurl']);
+		unset($profile['guid']);
 
 		$profile['nurl'] = Strings::normaliseLink($profile['url']);
 		DBA::update('contact', $profile, ['id' => $cid]);