tarrien/Mastodon
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix possibility of unrightful webfinger redirect (#2147)

Browse Source 
* Fix possibility of unrightful webfinger redirect

* Add more tests for FollowRemoteAccountService
This commit is contained in:
Eugen
2017-04-19 17:28:35 +02:00
committed by GitHub
parent 708bdd53f1
commit 1d47910d3b
2 changed files with 38 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/services/follow_remote_account_service.rb
View File

@ -10,7 +10,7 @@ class FollowRemoteAccountService < BaseService
# important information from their feed
# @param [String] uri User URI in the form of username@domain
# @return [Account]
def call(uri)
def call(uri, redirected = nil)
username, domain = uri.split('@')
return Account.find_local(username) if TagManager.instance.local_domain?(domain)
@ -24,8 +24,14 @@ class FollowRemoteAccountService < BaseService
raise Goldfinger::Error, 'Missing resource links' if data.link('http://schemas.google.com/g/2010#updates-from').nil? || data.link('salmon').nil? || data.link('http://webfinger.net/rel/profile-page').nil? || data.link('magic-public-key').nil?
# Disallow account hijacking
confirmed_username, confirmed_domain = data.subject.gsub(/\Aacct:/, '').split('@')
unless confirmed_username.casecmp(username).zero? && confirmed_domain.casecmp(domain).zero?
return call("#{confirmed_username}@#{confirmed_domain}", true) if redirected.nil?
raise Goldfinger::Error, 'Requested and returned acct URI do not match'
end
return Account.find_local(confirmed_username) if TagManager.instance.local_domain?(confirmed_domain)
confirmed_account = Account.find_remote(confirmed_username, confirmed_domain)