1
0
Fork 1
mirror of https://github.com/pixelfed/pixelfed.git synced 2024-12-23 08:14:10 +00:00

Update ActivityPubFetchService, enforce stricter Content-Type validation

This commit is contained in:
Daniel Supernault 2024-02-15 21:22:41 -07:00
parent 4c6ec20e36
commit 1232cfc86a
No known key found for this signature in database
GPG key ID: 23740873EE6F76A1

View file

@ -11,38 +11,61 @@ use Illuminate\Http\Client\RequestException;
class ActivityPubFetchService
{
public static function get($url, $validateUrl = true)
{
public static function get($url, $validateUrl = true)
{
if($validateUrl === true) {
if(!Helpers::validateUrl($url)) {
return 0;
}
if(!Helpers::validateUrl($url)) {
return 0;
}
}
$baseHeaders = [
'Accept' => 'application/activity+json, application/ld+json',
];
$baseHeaders = [
'Accept' => 'application/activity+json, application/ld+json',
];
$headers = HttpSignature::instanceActorSign($url, false, $baseHeaders, 'get');
$headers['Accept'] = 'application/activity+json, application/ld+json';
$headers['User-Agent'] = 'PixelFedBot/1.0.0 (Pixelfed/'.config('pixelfed.version').'; +'.config('app.url').')';
$headers = HttpSignature::instanceActorSign($url, false, $baseHeaders, 'get');
$headers['Accept'] = 'application/activity+json, application/ld+json';
$headers['User-Agent'] = 'PixelFedBot/1.0.0 (Pixelfed/'.config('pixelfed.version').'; +'.config('app.url').')';
try {
$res = Http::withOptions(['allow_redirects' => false])->withHeaders($headers)
->timeout(30)
->connectTimeout(5)
->retry(3, 500)
->get($url);
} catch (RequestException $e) {
return;
} catch (ConnectionException $e) {
return;
} catch (Exception $e) {
return;
}
if(!$res->ok()) {
return;
}
return $res->body();
}
try {
$res = Http::withOptions(['allow_redirects' => false])
->withHeaders($headers)
->timeout(30)
->connectTimeout(5)
->retry(3, 500)
->get($url);
} catch (RequestException $e) {
return;
} catch (ConnectionException $e) {
return;
} catch (Exception $e) {
return;
}
if(!$res->ok()) {
return;
}
if(!$res->hasHeader('Content-Type')) {
return;
}
$acceptedTypes = [
'application/activity+json; charset=utf-8',
'application/activity+json',
'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'
];
$contentType = $res->getHeader('Content-Type')[0];
if(!$contentType) {
return;
}
if(!in_array($contentType, $acceptedTypes)) {
return;
}
return $res->body();
}
}