AP: Security check against forged "create" activities

author Michael <heluecht@pirati.ca>

Tue, 20 Nov 2018 20:40:47 +0000 (20:40 +0000)

committer Michael <heluecht@pirati.ca>

Tue, 20 Nov 2018 20:40:47 +0000 (20:40 +0000)
author Michael <heluecht@pirati.ca>
Tue, 20 Nov 2018 20:40:47 +0000 (20:40 +0000)
committer Michael <heluecht@pirati.ca>
Tue, 20 Nov 2018 20:40:47 +0000 (20:40 +0000)
diff --git a/src/Protocol/ActivityPub/Receiver.php b/src/Protocol/ActivityPub/Receiver.php

index 686ac8be327ecbe8f1235bf706e475c9a55fce10..a101c5335d9d0893aa78f83670357e8bdc1b031d 100644 (file)
--- a/src/Protocol/ActivityPub/Receiver.php
+++ b/src/Protocol/ActivityPub/Receiver.php
@@ -309,6 +309,16 @@ class Receiver
  
                 }
  
+               // Don't trust the source if "actor" differs from "attributedTo". The content could be forged.
+               if ($trust_source && ($type == 'as:Create') && is_array($activity['as:object'])) {
+                       $actor = JsonLD::fetchElement($activity, 'as:actor');
+                       $attributed_to = JsonLD::fetchElement($activity['as:object'], 'as:attributedTo');
+                       $trust_source = ($actor == $attributed_to);
+                       if (!$trust_source) {
+                               Logger::log('Not trusting actor: ' . $actor . '. It differs from  attributedTo: ' . $attributed_to, Logger::DEBUG);
+                       }
+               }
+
                 // $trust_source is called by reference and is set to true if the content was retrieved successfully
                 $object_data = self::prepareObjectData($activity, $uid, $trust_source);
                 if (empty($object_data)) {
author	Michael <heluecht@pirati.ca>
	Tue, 20 Nov 2018 20:40:47 +0000 (20:40 +0000)
committer	Michael <heluecht@pirati.ca>
	Tue, 20 Nov 2018 20:40:47 +0000 (20:40 +0000)