add better origin checks for all activities

This commit is contained in:
Ted Unangst 2019-05-21 13:56:15 -04:00
parent a11ab06762
commit d4d2483ee0
3 changed files with 26 additions and 17 deletions

View File

@ -270,12 +270,6 @@ func needxonkid(user *WhatAbout, xid string) bool {
func savexonk(user *WhatAbout, x *Honk) {
if x.What == "eradicate" {
log.Printf("eradicating %s by %s", x.RID, x.Honker)
mh := re_unurl.FindStringSubmatch(x.Honker)
mr := re_unurl.FindStringSubmatch(x.RID)
if len(mh) < 2 || len(mr) < 2 || mh[1] != mr[1] {
log.Printf("not deleting owner mismatch")
return
}
xonk := getxonk(user.ID, x.RID)
if xonk != nil {
stmtZonkDonks.Exec(xonk.ID)
@ -382,6 +376,7 @@ func peeppeep() {
continue
}
t, _ := jsongetstring(j, "type")
origin := originate(f.XID)
if t == "OrderedCollection" {
items, _ := jsongetarray(j, "orderedItems")
if items == nil {
@ -395,7 +390,7 @@ func peeppeep() {
}
for _, item := range items {
xonk := xonkxonk(user, item)
xonk := xonkxonk(user, item, origin)
if xonk != nil {
savexonk(user, xonk)
}
@ -434,10 +429,10 @@ func newphone(a []string, obj map[string]interface{}) []string {
return a
}
func xonkxonk(user *WhatAbout, item interface{}) *Honk {
func xonkxonk(user *WhatAbout, item interface{}, origin string) *Honk {
depth := 0
maxdepth := 4
var xonkxonkfn func(item interface{}) *Honk
var xonkxonkfn func(item interface{}, origin string) *Honk
saveoneup := func(xid string) {
log.Printf("getting oneup: %s", xid)
@ -451,14 +446,14 @@ func xonkxonk(user *WhatAbout, item interface{}) *Honk {
return
}
depth++
xonk := xonkxonkfn(obj)
xonk := xonkxonkfn(obj, originate(xid))
if xonk != nil {
savexonk(user, xonk)
}
depth--
}
xonkxonkfn = func(item interface{}) *Honk {
xonkxonkfn = func(item interface{}, origin string) *Honk {
// id, _ := jsongetstring(item, "id")
what, _ := jsongetstring(item, "type")
dt, _ := jsongetstring(item, "published")
@ -484,6 +479,7 @@ func xonkxonk(user *WhatAbout, item interface{}) *Honk {
if err != nil {
log.Printf("error regetting: %s", err)
}
origin = originate(xid)
what = "bonk"
case "Create":
obj, _ = jsongetmap(item, "object")
@ -579,6 +575,10 @@ func xonkxonk(user *WhatAbout, item interface{}) *Honk {
}
}
}
if originate(xid) != origin {
log.Printf("original sin: %s <> %s", xid, origin)
return nil
}
audience = append(audience, who)
audience = oneofakind(audience)
@ -610,7 +610,7 @@ func xonkxonk(user *WhatAbout, item interface{}) *Honk {
return nil
}
return xonkxonkfn(item)
return xonkxonkfn(item, origin)
}
func rubadubdub(user *WhatAbout, req map[string]interface{}) {

14
fun.go
View File

@ -252,6 +252,14 @@ func mentionize(s string) string {
var re_unurl = regexp.MustCompile("https://([^/]+).*/([^/]+)")
func originate(u string) string {
m := re_unurl.FindStringSubmatch(u)
if len(m) > 2 {
return m[1]
}
return ""
}
func honkerhandle(h string) string {
m := re_unurl.FindStringSubmatch(h)
if len(m) > 2 {
@ -427,14 +435,14 @@ func thoudostbitethythumb(userid int64, who []string, objid string) bool {
return false
}
func keymatch(keyname string, actor string, what string, userid int64) bool {
func keymatch(keyname string, actor string) string {
hash := strings.IndexByte(keyname, '#')
if hash == -1 {
hash = len(keyname)
}
owner := keyname[0:hash]
if owner == actor {
return true
return originate(actor)
}
return false
return ""
}

View File

@ -304,7 +304,8 @@ func inbox(w http.ResponseWriter, r *http.Request) {
return
}
who, _ := jsongetstring(j, "actor")
if !keymatch(keyname, who, what, user.ID) {
origin := keymatch(keyname, who)
if origin == "" {
log.Printf("keyname actor mismatch: %s <> %s", keyname, who)
return
}
@ -357,7 +358,7 @@ func inbox(w http.ResponseWriter, r *http.Request) {
}
}
default:
xonk := xonkxonk(user, j)
xonk := xonkxonk(user, j, origin)
if xonk != nil {
savexonk(user, xonk)
}