Disable fetching of root posts for relayables
since that could allow fetching spoofed/altered posts thanks @supertux88
This commit is contained in:
Dennis Schubert
parent
6270e22226
commit
352d732a37
2 changed files with 5 additions and 1 deletions
|
|
@ -1,5 +1,9 @@
|
||||||
# 0.5.7.1
|
# 0.5.7.1
|
||||||
|
|
||||||
|
This security release disables post fetching for relayables. Due to an insecure implementation, fetching of root posts for relayables could allow an attacker to distribute malicious/spoofed/modified posts for any person.
|
||||||
|
|
||||||
|
Disabling the fetching will make the current federation a bit less reliable, but for a hotfix, this is the best solution. We will re-enable the fetching in 0.6.0.0 when we moved out the federation into its own library and are able to implement further validation during fetches.
|
||||||
|
|
||||||
# 0.5.7.0
|
# 0.5.7.0
|
||||||
|
|
||||||
## Refactor
|
## Refactor
|
||||||
|
|
|
||||||
|
|
@ -40,7 +40,7 @@ module Federated
|
||||||
end
|
end
|
||||||
|
|
||||||
def fetch_parent guid
|
def fetch_parent guid
|
||||||
Diaspora::Fetcher::Single.find_or_fetch_from_remote guid, diaspora_handle
|
raise Diaspora::PostNotFetchable
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue