diff options
author | Eugen Rochko <eugen@zeonfederated.com> | 2017-04-27 17:06:47 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-04-27 17:06:47 +0200 |
commit | 2af4f3c4e22ab9a28a7fca49bee0ee2ed6256f27 (patch) | |
tree | 073f68695a0da1ee7dcf2f909a449b60286ad3f4 /app/services/fetch_remote_status_service.rb | |
parent | b8e7eee8372f927a5a3b51e95db3707d34c4ac4b (diff) |
Improve shared status verification (#2525)
* Instead of parsing shared status contents verbatim, make roundtrip
to purported original URL. Confirm that the "original" URL is from the
same domain as the author it claims to be from.
* Fix obvious typo, add comment
* Use URI look-up first
* Add test, update Goldfinger dependency to make less useless HTTP requests per Webfinger lookup
Diffstat (limited to 'app/services/fetch_remote_status_service.rb')
-rw-r--r-- | app/services/fetch_remote_status_service.rb | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/app/services/fetch_remote_status_service.rb b/app/services/fetch_remote_status_service.rb index c666961ad28..5a454808e59 100644 --- a/app/services/fetch_remote_status_service.rb +++ b/app/services/fetch_remote_status_service.rb @@ -39,9 +39,19 @@ class FetchRemoteStatusService < BaseService Rails.logger.debug "Going to webfinger #{username}@#{domain}" - return FollowRemoteAccountService.new.call("#{username}@#{domain}") + account = FollowRemoteAccountService.new.call("#{username}@#{domain}") + + # If the author's confirmed URLs do not match the domain of the URL + # we are reading this from, abort + return nil unless confirmed_domain?(domain, account) + + account rescue Nokogiri::XML::XPath::SyntaxError Rails.logger.debug 'Invalid XML or missing namespace' nil end + + def confirmed_domain?(domain, account) + domain.casecmp(account.domain).zero? || domain.casecmp(Addressable::URI.parse(account.remote_url).normalize.host).zero? + end end |