projects / akkoma / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 99bc175) | patch
Fix object spoofing vulnerability in attachments
authorrinpatch <rinpatch@sdf.org>
Wed, 28 Oct 2020 15:08:23 +0000 (18:08 +0300)
committerrinpatch <rinpatch@sdf.org>
Thu, 12 Nov 2020 12:25:33 +0000 (15:25 +0300)
commit6ca709816f74f1171423c7bc040619fca57a2087
treec63d54e69018c195279ff946f8f3990b25215ceftree | snapshot
parent99bc175f0257fb0cb9275cba94df662ed219eacfcommit | diff
Fix object spoofing vulnerability in attachments

Validate the content-type of the response when fetching an object,
according to https://www.w3.org/TR/activitypub/#x3-2-retrieving-objects.

content-type headers had to be added to many mocks in order to support
this, some of this was done with a regex. While I did go over the
resulting files to check I didn't modify anything unrelated, there is a
 possibility I missed something.

Closes pleroma#1948
lib/pleroma/object/fetcher.ex diff | blob | history
test/fixtures/spoofed-object.json [new file with mode: 0644] blob
test/pleroma/object/fetcher_test.exs diff | blob | history
test/pleroma/object_test.exs diff | blob | history
test/pleroma/web/activity_pub/activity_pub_test.exs diff | blob | history
test/pleroma/web/activity_pub/transmogrifier/announce_handling_test.exs diff | blob | history
test/pleroma/web/activity_pub/transmogrifier/article_handling_test.exs diff | blob | history
test/pleroma/web/activity_pub/transmogrifier/audio_handling_test.exs diff | blob | history
test/pleroma/web/activity_pub/transmogrifier/event_handling_test.exs diff | blob | history
test/support/http_request_mock.ex diff | blob | history
Fork of https://akkoma.dev/AkkomaGang/akkoma.git