Disable fetching of root posts for relayables
since that could allow fetching spoofed/altered posts thanks @supertux88
This commit is contained in:
Dennis Schubert
parent
6270e22226
commit
352d732a37
2 changed files with 5 additions and 1 deletions
|
|
@ -1,5 +1,9 @@
|
|||
# 0.5.7.1
|
||||
|
||||
This security release disables post fetching for relayables. Due to an insecure implementation, fetching of root posts for relayables could allow an attacker to distribute malicious/spoofed/modified posts for any person.
|
||||
|
||||
Disabling the fetching will make the current federation a bit less reliable, but for a hotfix, this is the best solution. We will re-enable the fetching in 0.6.0.0 when we moved out the federation into its own library and are able to implement further validation during fetches.
|
||||
|
||||
# 0.5.7.0
|
||||
|
||||
## Refactor
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ module Federated
|
|||
end
|
||||
|
||||
def fetch_parent guid
|
||||
Diaspora::Fetcher::Single.find_or_fetch_from_remote guid, diaspora_handle
|
||||
raise Diaspora::PostNotFetchable
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in a new issue