From 221c8c771f0a275e4924f038b71c52dd4bf93b5f Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Sat, 28 Jul 2018 23:14:55 +0200 Subject: [PATCH] Prevent ActivityPub movedTo recursion (#8092) Fix #8051 --- app/services/activitypub/fetch_remote_account_service.rb | 4 ++-- app/services/activitypub/process_account_service.rb | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/services/activitypub/fetch_remote_account_service.rb b/app/services/activitypub/fetch_remote_account_service.rb index 6fa4e9a1bdb..1ec9ee5dd63 100644 --- a/app/services/activitypub/fetch_remote_account_service.rb +++ b/app/services/activitypub/fetch_remote_account_service.rb @@ -7,14 +7,14 @@ class ActivityPub::FetchRemoteAccountService < BaseService # Should be called when uri has already been checked for locality # Does a WebFinger roundtrip on each call - def call(uri, id: true, prefetched_body: nil) + def call(uri, id: true, prefetched_body: nil, break_on_redirect: false) @json = if prefetched_body.nil? fetch_resource(uri, id) else body_to_json(prefetched_body, compare_id: id ? uri : nil) end - return unless supported_context? && expected_type? + return if !supported_context? || !expected_type? || (break_on_redirect && @json['movedTo'].present?) @uri = @json['id'] @username = @json['preferredUsername'] diff --git a/app/services/activitypub/process_account_service.rb b/app/services/activitypub/process_account_service.rb index 453253db405..7f95678b031 100644 --- a/app/services/activitypub/process_account_service.rb +++ b/app/services/activitypub/process_account_service.rb @@ -175,7 +175,7 @@ class ActivityPub::ProcessAccountService < BaseService def moved_account account = ActivityPub::TagManager.instance.uri_to_resource(@json['movedTo'], Account) - account ||= ActivityPub::FetchRemoteAccountService.new.call(@json['movedTo'], id: true) + account ||= ActivityPub::FetchRemoteAccountService.new.call(@json['movedTo'], id: true, break_on_redirect: true) account end