From 69e807214de228c03c16b1f4dce9c211381919d1 Mon Sep 17 00:00:00 2001 From: fr33domlover Date: Sun, 17 Feb 2019 00:32:38 +0000 Subject: [PATCH] Even if we have the specified keyid in the DB, check AP actor header if present Previously, when verifying an HTTP signature and we find out we have the provided keyid in the DB, and this key is a personal key, we would just grab the key owner from the DB and ignore the ActivityPub-Actor header. This patch adds a check: If we find the key in the DB and it's a personal key, do grab the owner from that DB row, but also check the actor header: If it's provided, it has to be identical to the key owner ID URI. --- src/Vervis/Foundation.hs | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/Vervis/Foundation.hs b/src/Vervis/Foundation.hs index 1d563ab..c432cbd 100644 --- a/src/Vervis/Foundation.hs +++ b/src/Vervis/Foundation.hs @@ -699,7 +699,13 @@ instance YesodHttpSig App where Just (Entity vkid vk, mremote) -> do (ua, s) <- case mremote of - Just remote -> return (remoteSharerIdent remote, False) + Just remote -> do + let sharer = remoteSharerIdent remote + for_ muActorHeader $ \ u -> + if sharer == u + then return () + else throwE "Key's owner doesn't match actor header" + return (sharer, False) Nothing -> case muActorHeader of Nothing -> throwE "Got a sig with an instance key, but actor header not specified!"