Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-11-02 03:55:55 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: check origin only if object is a string

Browse Source
This commit is contained in:
Julian Lam
2024-02-21 14:05:54 -05:00
parent a94341f489
commit 92a8951bca
2 changed files with 12 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/middleware/activitypub.js
View File

@@ -48,10 +48,12 @@ middleware.validate = async function (req, res, next) {
const { actor, object } = req.body;
// Origin checking
const actorHostname = new URL(actor).hostname;
const objectHostname = new URL(typeof object === 'string' ? object : object.id).hostname;
if (actorHostname !== objectHostname) {
return res.sendStatus(403);
if (typeof object !== 'string') {
const actorHostname = new URL(actor).hostname;
const objectHostname = new URL(object.id).hostname;
if (actorHostname !== objectHostname) {
return res.sendStatus(403);
}
}
// Cross-check key ownership against received actor