Merge branch 'hotfix/0.5.7.1'

2016-03-08 22:53:49 +01:00 · 2016-03-08 22:53:49 +01:00 · 9a8cecd89c
commit 9a8cecd89c
parent 56ebcc7600 352d732a37
3 changed files with 8 additions and 2 deletions
--- a/Changelog.md
+++ b/Changelog.md
@ -1,3 +1,9 @@
+# 0.5.7.1
+
+This security release disables post fetching for relayables. Due to an insecure implementation, fetching of root posts for relayables could allow an attacker to distribute malicious/spoofed/modified posts for any person.
+
+Disabling the fetching will make the current federation a bit less reliable, but for a hotfix, this is the best solution. We will re-enable the fetching in 0.6.0.0 when we moved out the federation into its own library and are able to implement further validation during fetches.
+
 # 0.5.7.0

 ## Refactor
--- a/config/defaults.yml
+++ b/config/defaults.yml
@ -4,7 +4,7 @@

 defaults:
  version:
-    number: "0.5.7.0" # Do not touch unless doing a release, do not backport the version number that's in master
+    number: "0.5.7.1" # Do not touch unless doing a release, do not backport the version number that's in master
  heroku: false
  environment:
    url: "http://localhost:3000/"
--- a/lib/federated/relayable.rb
+++ b/lib/federated/relayable.rb
@ -40,7 +40,7 @@ module Federated
    end

    def fetch_parent guid
-      Diaspora::Fetcher::Single.find_or_fetch_from_remote guid, diaspora_handle
+      raise Diaspora::PostNotFetchable
    end
  end
 end