Even if we have the specified keyid in the DB, check AP actor header if present
Previously, when verifying an HTTP signature and we find out we have the provided keyid in the DB, and this key is a personal key, we would just grab the key owner from the DB and ignore the ActivityPub-Actor header. This patch adds a check: If we find the key in the DB and it's a personal key, do grab the owner from that DB row, but also check the actor header: If it's provided, it has to be identical to the key owner ID URI.
This commit is contained in:
parent
fa5c509a25
commit
69e807214d
1 changed files with 7 additions and 1 deletions
|
@ -699,7 +699,13 @@ instance YesodHttpSig App where
|
|||
Just (Entity vkid vk, mremote) -> do
|
||||
(ua, s) <-
|
||||
case mremote of
|
||||
Just remote -> return (remoteSharerIdent remote, False)
|
||||
Just remote -> do
|
||||
let sharer = remoteSharerIdent remote
|
||||
for_ muActorHeader $ \ u ->
|
||||
if sharer == u
|
||||
then return ()
|
||||
else throwE "Key's owner doesn't match actor header"
|
||||
return (sharer, False)
|
||||
Nothing ->
|
||||
case muActorHeader of
|
||||
Nothing -> throwE "Got a sig with an instance key, but actor header not specified!"
|
||||
|
|
Loading…
Reference in a new issue