mirror of
https://codeberg.org/streams/streams.git
synced 2024-09-20 02:15:19 +00:00
Improved defenses against meta/threads - including checking site allowed list for actor fetches; which were previously considered public knowledge
This commit is contained in:
parent
504528a38f
commit
354505c87e
1 changed files with 22 additions and 1 deletions
|
@ -131,16 +131,37 @@ class Channel extends Controller
|
|||
if (intval($channel['channel_system'])) {
|
||||
goaway(z_root());
|
||||
}
|
||||
|
||||
$sigdata = HTTPSig::verify(EMPTY_STR);
|
||||
if ($sigdata['portable_id'] && $sigdata['header_valid']) {
|
||||
$portable_id = $sigdata['portable_id'];
|
||||
if (!check_channelallowed($portable_id)) {
|
||||
http_status_exit(403, 'Permission denied');
|
||||
}
|
||||
if (!check_siteallowed($sigdata['signer'])) {
|
||||
http_status_exit(403, 'Permission denied');
|
||||
}
|
||||
observer_auth($portable_id);
|
||||
}
|
||||
|
||||
as_return_and_die(Activity::encode_person($channel, true, true), $channel);
|
||||
}
|
||||
|
||||
// handle zot6 channel discovery
|
||||
|
||||
if (Libzot::is_nomad_request()) {
|
||||
$sigdata = HTTPSig::verify(file_get_contents('php://input'), EMPTY_STR, 'zot6');
|
||||
$sigdata = HTTPSig::verify(($_SERVER['REQUEST_METHOD'] === 'POST') ? file_get_contents('php://input') : '', EMPTY_STR, 'zot6');
|
||||
|
||||
if ($sigdata && $sigdata['signer'] && $sigdata['header_valid']) {
|
||||
|
||||
$portable_id = $sigdata['portable_id'];
|
||||
if (!check_channelallowed($portable_id)) {
|
||||
http_status_exit(403, 'Permission denied');
|
||||
}
|
||||
if (!check_siteallowed($sigdata['signer'])) {
|
||||
http_status_exit(403, 'Permission denied');
|
||||
}
|
||||
|
||||
$data = json_encode(Libzot::zotinfo(['guid_hash' => $channel['channel_hash'], 'target_url' => $sigdata['signer']]));
|
||||
$s = q(
|
||||
"select site_crypto, hubloc_sitekey from site left join hubloc on hubloc_url = site_url where hubloc_id_url = '%s' and hubloc_network in ('nomad','zot6') and hubloc_deleted = 0 order by hubloc_id desc limit 1",
|
||||
|
|
Loading…
Reference in a new issue