diff options
| author | Haelwenn (lanodan) Monnier <contact@hacktivis.me> | 2020-02-15 00:35:46 +0100 |
|---|---|---|
| committer | Haelwenn (lanodan) Monnier <contact@hacktivis.me> | 2020-02-15 00:36:09 +0100 |
| commit | 1257331291f27b55340a4ccca459a2673f3f37c2 (patch) | |
| tree | 8d54b966b0fbffae541a2e123032c45a3322a9d6 | |
| parent | 5fcee577f9713d9432115f8e3b51c3de2aef6fd0 (diff) | |
MastodonAPI.StatusView: Do not use site_name
site_name allow to spoof the origin of the domain and so hacks like:
<!-- served on https://hacktivis.me/tmp/joinmastodon.org.html -->
<meta property="og:image" content="https://hacktivis.me/datalove/img/meme/pleroma/mastodon%2C%20forbidden%20amuse%20yourself.jpeg" />
<meta property="og:title" content="Mastodon: Forbidden Amuse Yourself" />
<meta property="og:site_name" content="joinmastodon.org" />
<meta http-equiv="refresh" content="0; url=http://joinmastodon.org/">
| -rw-r--r-- | lib/pleroma/web/mastodon_api/views/status_view.ex | 4 | ||||
| -rw-r--r-- | test/web/mastodon_api/views/status_view_test.exs | 4 |
2 files changed, 3 insertions, 5 deletions
diff --git a/lib/pleroma/web/mastodon_api/views/status_view.ex b/lib/pleroma/web/mastodon_api/views/status_view.ex index e1e92034f..d4695c1c6 100644 --- a/lib/pleroma/web/mastodon_api/views/status_view.ex +++ b/lib/pleroma/web/mastodon_api/views/status_view.ex @@ -321,11 +321,9 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do nil end - site_name = rich_media[:site_name] || page_url_data.host - %{ type: "link", - provider_name: site_name, + provider_name: page_url_data.host, provider_url: page_url_data.scheme <> "://" <> page_url_data.host, url: page_url, image: image_url |> MediaProxy.url(), diff --git a/test/web/mastodon_api/views/status_view_test.exs b/test/web/mastodon_api/views/status_view_test.exs index ba58e48e8..560f8179f 100644 --- a/test/web/mastodon_api/views/status_view_test.exs +++ b/test/web/mastodon_api/views/status_view_test.exs @@ -491,7 +491,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusViewTest do title: "Example website" } - %{provider_name: "Example site name"} = + %{provider_name: "example.com"} = StatusView.render("card.json", %{page_url: page_url, rich_media: card}) end @@ -506,7 +506,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusViewTest do description: "Example description" } - %{provider_name: "Example site name"} = + %{provider_name: "example.com"} = StatusView.render("card.json", %{page_url: page_url, rich_media: card}) end end |