From: Michael Date: Tue, 20 Nov 2018 20:40:47 +0000 (+0000) Subject: AP: Security check against forged "create" activities X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=5c39779b45005c12962e7e92d3428efd187f279c;p=friendica.git AP: Security check against forged "create" activities --- diff --git a/src/Protocol/ActivityPub/Receiver.php b/src/Protocol/ActivityPub/Receiver.php index 686ac8be32..a101c5335d 100644 --- a/src/Protocol/ActivityPub/Receiver.php +++ b/src/Protocol/ActivityPub/Receiver.php @@ -309,6 +309,16 @@ class Receiver } + // Don't trust the source if "actor" differs from "attributedTo". The content could be forged. + if ($trust_source && ($type == 'as:Create') && is_array($activity['as:object'])) { + $actor = JsonLD::fetchElement($activity, 'as:actor'); + $attributed_to = JsonLD::fetchElement($activity['as:object'], 'as:attributedTo'); + $trust_source = ($actor == $attributed_to); + if (!$trust_source) { + Logger::log('Not trusting actor: ' . $actor . '. It differs from attributedTo: ' . $attributed_to, Logger::DEBUG); + } + } + // $trust_source is called by reference and is set to true if the content was retrieved successfully $object_data = self::prepareObjectData($activity, $uid, $trust_source); if (empty($object_data)) {