From 352d732a3753eb56ea096c1130d77544f4197a63 Mon Sep 17 00:00:00 2001
From: Dennis Schubert <mail@dennis-schubert.de>
Date: Tue, 8 Mar 2016 22:29:42 +0100
Subject: [PATCH] Disable fetching of root posts for relayables since that
 could allow fetching spoofed/altered posts thanks @supertux88

---
 Changelog.md               | 4 ++++
 lib/federated/relayable.rb | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/Changelog.md b/Changelog.md
index c96268784..57e971bd7 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,9 @@
 # 0.5.7.1
 
+This security release disables post fetching for relayables. Due to an insecure implementation, fetching of root posts for relayables could allow an attacker to distribute malicious/spoofed/modified posts for any person.
+
+Disabling the fetching will make the current federation a bit less reliable, but for a hotfix, this is the best solution. We will re-enable the fetching in 0.6.0.0 when we moved out the federation into its own library and are able to implement further validation during fetches.
+
 # 0.5.7.0
 
 ## Refactor
diff --git a/lib/federated/relayable.rb b/lib/federated/relayable.rb
index 7a1b13d6c..cd5ec3b74 100644
--- a/lib/federated/relayable.rb
+++ b/lib/federated/relayable.rb
@@ -40,7 +40,7 @@ module Federated
     end
 
     def fetch_parent guid
-      Diaspora::Fetcher::Single.find_or_fetch_from_remote guid, diaspora_handle
+      raise Diaspora::PostNotFetchable
     end
   end
 end