Streams/streams
Streams/streams
1
0
Fork 0
mirror of https://codeberg.org/streams/streams.git synced 2024-09-20 02:15:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Improved defenses against meta/threads - including checking site allowed list for actor fetches; which were previously considered public knowledge

Browse source
This commit is contained in:
Mike Macgirvin 2023-08-31 07:03:21 +10:00
parent 504528a38f
commit 354505c87e
1 changed files with 22 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
Code/Module/Channel.php
View file

@ -131,16 +131,37 @@ class Channel extends Controller
if (intval($channel['channel_system'])) {
goaway(z_root());
}
$sigdata = HTTPSig::verify(EMPTY_STR);
if ($sigdata['portable_id'] && $sigdata['header_valid']) {
$portable_id = $sigdata['portable_id'];
if (!check_channelallowed($portable_id)) {
http_status_exit(403, 'Permission denied');
}
if (!check_siteallowed($sigdata['signer'])) {
http_status_exit(403, 'Permission denied');
}
observer_auth($portable_id);
}
as_return_and_die(Activity::encode_person($channel, true, true), $channel);
}
// handle zot6 channel discovery
if (Libzot::is_nomad_request()) {
$sigdata = HTTPSig::verify(file_get_contents('php://input'), EMPTY_STR, 'zot6');
$sigdata = HTTPSig::verify(($_SERVER['REQUEST_METHOD'] === 'POST') ? file_get_contents('php://input') : '', EMPTY_STR, 'zot6');
if ($sigdata && $sigdata['signer'] && $sigdata['header_valid']) {
$portable_id = $sigdata['portable_id'];
if (!check_channelallowed($portable_id)) {
http_status_exit(403, 'Permission denied');
}
if (!check_siteallowed($sigdata['signer'])) {
http_status_exit(403, 'Permission denied');
}
$data = json_encode(Libzot::zotinfo(['guid_hash' => $channel['channel_hash'], 'target_url' => $sigdata['signer']]));
$s = q(
"select site_crypto, hubloc_sitekey from site left join hubloc on hubloc_url = site_url where hubloc_id_url = '%s' and hubloc_network in ('nomad','zot6') and hubloc_deleted = 0 order by hubloc_id desc limit 1",