Merge branch 'fix/object-attachment-spoof' into 'develop'

Fix object spoofing vulnerability in attachments See merge request pleroma/secteam/pleroma!18
author: rinpatch <rinpatch@sdf.org> 2020-11-03 13:59:18 +0000
committer: rinpatch <rinpatch@sdf.org> 2020-11-05 16:32:54 +0300
commit: 5116859f0e53a5b79a01f764fa3baf4c2110df1b (patch)
tree: a632077c2e8a72decbbcad50b103766fba666218 /lib
parent: 4d693b5e54b46c8863c463503d270a0d61d79c37 (diff)
1 files changed, 18 insertions, 2 deletions
diff --git a/lib/pleroma/object/fetcher.ex b/lib/pleroma/object/fetcher.ex
index 169298b34..ae4301738 100644
--- a/lib/pleroma/object/fetcher.ex
+++ b/lib/pleroma/object/fetcher.ex
@@ -232,8 +232,24 @@ defmodule Pleroma.Object.Fetcher do
       |> sign_fetch(id, date)
 
     case HTTP.get(id, headers) do
-      {:ok, %{body: body, status: code}} when code in 200..299 ->
-        {:ok, body}
+      {:ok, %{body: body, status: code, headers: headers}} when code in 200..299 ->
+        case List.keyfind(headers, "content-type", 0) do
+          {_, content_type} ->
+            case Plug.Conn.Utils.media_type(content_type) do
+              {:ok, "application", "activity+json", _} ->
+                {:ok, body}
+
+              {:ok, "application", "ld+json",
+               %{"profile" => "https://www.w3.org/ns/activitystreams"}} ->
+                {:ok, body}
+
+              _ ->
+                {:error, {:content_type, content_type}}
+            end
+
+          _ ->
+            {:error, {:content_type, nil}}
+        end
 
       {:ok, %{status: code}} when code in [404, 410] ->
         {:error, "Object has been deleted"}
author	rinpatch <rinpatch@sdf.org>	2020-11-03 13:59:18 +0000
committer	rinpatch <rinpatch@sdf.org>	2020-11-05 16:32:54 +0300
commit	5116859f0e53a5b79a01f764fa3baf4c2110df1b (patch)
tree	a632077c2e8a72decbbcad50b103766fba666218 /lib
parent	4d693b5e54b46c8863c463503d270a0d61d79c37 (diff)