Fix possible acct: uri usurpation in ActivityPub account discovery (#5208)

author Eugen Rochko <eugen@zeonfederated.com>

Tue, 3 Oct 2017 22:33:56 +0000 (00:33 +0200)

committer GitHub <noreply@github.com>

Tue, 3 Oct 2017 22:33:56 +0000 (00:33 +0200)
author Eugen Rochko <eugen@zeonfederated.com>
Tue, 3 Oct 2017 22:33:56 +0000 (00:33 +0200)
committer GitHub <noreply@github.com>
Tue, 3 Oct 2017 22:33:56 +0000 (00:33 +0200)
diff --git a/app/services/activitypub/fetch_remote_account_service.rb b/app/services/activitypub/fetch_remote_account_service.rb

index 3eeca585e8302eeb0b0df72ecd9c73b0be4f9ca7..cb6e407480b2342a29564685e1f15d60c69f5d82 100644 (file)
--- a/app/services/activitypub/fetch_remote_account_service.rb
+++ b/app/services/activitypub/fetch_remote_account_service.rb
@@ -30,14 +30,12 @@ class ActivityPub::FetchRemoteAccountService < BaseService
      return true if @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero?
  
      webfinger                            = Goldfinger.finger("acct:#{confirmed_username}@#{confirmed_domain}")
-    confirmed_username, confirmed_domain = split_acct(webfinger.subject)
+    @username, @domain                   = split_acct(webfinger.subject)
      self_reference                       = webfinger.link('self')
  
+    return false unless @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero?
      return false if self_reference&.href != @uri
  
-    @username = confirmed_username
-    @domain   = confirmed_domain
-
      true
    rescue Goldfinger::Error
      false
author	Eugen Rochko <eugen@zeonfederated.com>
	Tue, 3 Oct 2017 22:33:56 +0000 (00:33 +0200)
committer	GitHub <noreply@github.com>
	Tue, 3 Oct 2017 22:33:56 +0000 (00:33 +0200)