From 1232cfc86a846807207fa26de81cb82bbc0d8e66 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Thu, 15 Feb 2024 21:22:41 -0700 Subject: [PATCH 1/2] Update ActivityPubFetchService, enforce stricter Content-Type validation --- app/Services/ActivityPubFetchService.php | 81 +++++++++++++++--------- 1 file changed, 52 insertions(+), 29 deletions(-) diff --git a/app/Services/ActivityPubFetchService.php b/app/Services/ActivityPubFetchService.php index cbf153ecb..4b515859c 100644 --- a/app/Services/ActivityPubFetchService.php +++ b/app/Services/ActivityPubFetchService.php @@ -11,38 +11,61 @@ use Illuminate\Http\Client\RequestException; class ActivityPubFetchService { - public static function get($url, $validateUrl = true) - { + public static function get($url, $validateUrl = true) + { if($validateUrl === true) { - if(!Helpers::validateUrl($url)) { - return 0; - } + if(!Helpers::validateUrl($url)) { + return 0; + } } - $baseHeaders = [ - 'Accept' => 'application/activity+json, application/ld+json', - ]; + $baseHeaders = [ + 'Accept' => 'application/activity+json, application/ld+json', + ]; - $headers = HttpSignature::instanceActorSign($url, false, $baseHeaders, 'get'); - $headers['Accept'] = 'application/activity+json, application/ld+json'; - $headers['User-Agent'] = 'PixelFedBot/1.0.0 (Pixelfed/'.config('pixelfed.version').'; +'.config('app.url').')'; + $headers = HttpSignature::instanceActorSign($url, false, $baseHeaders, 'get'); + $headers['Accept'] = 'application/activity+json, application/ld+json'; + $headers['User-Agent'] = 'PixelFedBot/1.0.0 (Pixelfed/'.config('pixelfed.version').'; +'.config('app.url').')'; - try { - $res = Http::withOptions(['allow_redirects' => false])->withHeaders($headers) - ->timeout(30) - ->connectTimeout(5) - ->retry(3, 500) - ->get($url); - } catch (RequestException $e) { - return; - } catch (ConnectionException $e) { - return; - } catch (Exception $e) { - return; - } - if(!$res->ok()) { - return; - } - return $res->body(); - } + try { + $res = Http::withOptions(['allow_redirects' => false]) + ->withHeaders($headers) + ->timeout(30) + ->connectTimeout(5) + ->retry(3, 500) + ->get($url); + } catch (RequestException $e) { + return; + } catch (ConnectionException $e) { + return; + } catch (Exception $e) { + return; + } + + if(!$res->ok()) { + return; + } + + if(!$res->hasHeader('Content-Type')) { + return; + } + + $acceptedTypes = [ + 'application/activity+json; charset=utf-8', + 'application/activity+json', + 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"' + ]; + + $contentType = $res->getHeader('Content-Type')[0]; + + if(!$contentType) { + return; + } + + if(!in_array($contentType, $acceptedTypes)) { + return; + } + + return $res->body(); + } } From df5e61266c66b1b3537946723bf6d2feb0d4a551 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Thu, 15 Feb 2024 21:23:00 -0700 Subject: [PATCH 2/2] Update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d01a049fb..e3ddb7c15 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ - Update ApiV1Controller, fix network timeline ([0faf59e3](https://github.com/pixelfed/pixelfed/commit/0faf59e3)) - Update public/network timelines, fix non-redis response and fix reblogs in home feed ([8b4ac5cc](https://github.com/pixelfed/pixelfed/commit/8b4ac5cc)) - Update Federation, use proper Content-Type headers for following/follower collections ([fb0bb9a3](https://github.com/pixelfed/pixelfed/commit/fb0bb9a3)) +- Update ActivityPubFetchService, enforce stricter Content-Type validation ([1232cfc8](https://github.com/pixelfed/pixelfed/commit/1232cfc8)) - ([](https://github.com/pixelfed/pixelfed/commit/)) ## [v0.11.11 (2024-02-09)](https://github.com/pixelfed/pixelfed/compare/v0.11.10...v0.11.11)