Merge pull request #4930 from pixelfed/staging

Staging
2024-02-15 21:23:29 -07:00 · 2024-02-15 21:23:29 -07:00 · 0dc54e9ac0
parent af935c729b df5e61266c
commit 0dc54e9ac0
2 changed files with 53 additions and 29 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,6 +7,7 @@
 - Update ApiV1Controller, fix network timeline ([0faf59e3](https://github.com/pixelfed/pixelfed/commit/0faf59e3))
 - Update public/network timelines, fix non-redis response and fix reblogs in home feed ([8b4ac5cc](https://github.com/pixelfed/pixelfed/commit/8b4ac5cc))
 - Update Federation, use proper Content-Type headers for following/follower collections ([fb0bb9a3](https://github.com/pixelfed/pixelfed/commit/fb0bb9a3))
+- Update ActivityPubFetchService, enforce stricter Content-Type validation ([1232cfc8](https://github.com/pixelfed/pixelfed/commit/1232cfc8))
 -  ([](https://github.com/pixelfed/pixelfed/commit/))

 ## [v0.11.11 (2024-02-09)](https://github.com/pixelfed/pixelfed/compare/v0.11.10...v0.11.11)
--- a/app/Services/ActivityPubFetchService.php
+++ b/app/Services/ActivityPubFetchService.php
@ -11,38 +11,61 @@ use Illuminate\Http\Client\RequestException;

 class ActivityPubFetchService
 {
-	public static function get($url, $validateUrl = true)
-	{
+    public static function get($url, $validateUrl = true)
+    {
        if($validateUrl === true) {
-    		if(!Helpers::validateUrl($url)) {
-    			return 0;
-    		}
+            if(!Helpers::validateUrl($url)) {
+                return 0;
+            }
        }

-		$baseHeaders = [
-			'Accept' => 'application/activity+json, application/ld+json',
-		];
+        $baseHeaders = [
+            'Accept' => 'application/activity+json, application/ld+json',
+        ];

-		$headers = HttpSignature::instanceActorSign($url, false, $baseHeaders, 'get');
-		$headers['Accept'] = 'application/activity+json, application/ld+json';
-		$headers['User-Agent'] = 'PixelFedBot/1.0.0 (Pixelfed/'.config('pixelfed.version').'; +'.config('app.url').')';
+        $headers = HttpSignature::instanceActorSign($url, false, $baseHeaders, 'get');
+        $headers['Accept'] = 'application/activity+json, application/ld+json';
+        $headers['User-Agent'] = 'PixelFedBot/1.0.0 (Pixelfed/'.config('pixelfed.version').'; +'.config('app.url').')';

-		try {
-			$res = Http::withOptions(['allow_redirects' => false])->withHeaders($headers)
-				->timeout(30)
-				->connectTimeout(5)
-				->retry(3, 500)
-				->get($url);
-		} catch (RequestException $e) {
-			return;
-		} catch (ConnectionException $e) {
-			return;
-		} catch (Exception $e) {
-			return;
-		}
-		if(!$res->ok()) {
-			return;
-		}
-		return $res->body();
-	}
+        try {
+            $res = Http::withOptions(['allow_redirects' => false])
+                ->withHeaders($headers)
+                ->timeout(30)
+                ->connectTimeout(5)
+                ->retry(3, 500)
+                ->get($url);
+        } catch (RequestException $e) {
+            return;
+        } catch (ConnectionException $e) {
+            return;
+        } catch (Exception $e) {
+            return;
+        }
+
+        if(!$res->ok()) {
+            return;
+        }
+
+        if(!$res->hasHeader('Content-Type')) {
+            return;
+        }
+
+        $acceptedTypes = [
+            'application/activity+json; charset=utf-8',
+            'application/activity+json',
+            'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'
+        ];
+
+        $contentType = $res->getHeader('Content-Type')[0];
+
+        if(!$contentType) {
+            return;
+        }
+
+        if(!in_array($contentType, $acceptedTypes)) {
+            return;
+        }
+
+        return $res->body();
+    }
 }