From fedcdb204db420368401db92b81273764c1c18d6 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Tue, 25 Dec 2018 18:06:12 -0700 Subject: [PATCH 1/2] Update FederationController --- app/Http/Controllers/FederationController.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/app/Http/Controllers/FederationController.php b/app/Http/Controllers/FederationController.php index b1e7d18cd..27b657b3a 100644 --- a/app/Http/Controllers/FederationController.php +++ b/app/Http/Controllers/FederationController.php @@ -191,6 +191,14 @@ XML; $id = Helpers::validateUrl($bodyDecoded['id']); $keyDomain = parse_url($keyId, PHP_URL_HOST); $idDomain = parse_url($id, PHP_URL_HOST); + if(isset($bodyDecoded['object']) + && is_array($bodyDecoded['object']) + && isset($bodyDecoded['object']['attributedTo']) + ) { + if(parse_url($bodyDecoded['object']['attributedTo'], PHP_URL_HOST) !== $idDomain) { + abort(400, 'Invalid request'); + } + } if(!$keyDomain || !$idDomain || $keyDomain !== $idDomain) { abort(400, 'Invalid request'); } From eaaf8fbcd709ebb95668aa2b95ec6875bd740295 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Tue, 25 Dec 2018 18:07:32 -0700 Subject: [PATCH 2/2] Update FederationController --- app/Http/Controllers/FederationController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Http/Controllers/FederationController.php b/app/Http/Controllers/FederationController.php index 27b657b3a..c93b1b664 100644 --- a/app/Http/Controllers/FederationController.php +++ b/app/Http/Controllers/FederationController.php @@ -195,7 +195,7 @@ XML; && is_array($bodyDecoded['object']) && isset($bodyDecoded['object']['attributedTo']) ) { - if(parse_url($bodyDecoded['object']['attributedTo'], PHP_URL_HOST) !== $idDomain) { + if(parse_url($bodyDecoded['object']['attributedTo'], PHP_URL_HOST) !== $keyDomain) { abort(400, 'Invalid request'); } }