Commit 352d732a authored by Dennis Schubert's avatar Dennis Schubert

Disable fetching of root posts for relayables

since that could allow fetching spoofed/altered posts
thanks @supertux88
parent 6270e222
# 0.5.7.1 # 0.5.7.1
This security release disables post fetching for relayables. Due to an insecure implementation, fetching of root posts for relayables could allow an attacker to distribute malicious/spoofed/modified posts for any person.
Disabling the fetching will make the current federation a bit less reliable, but for a hotfix, this is the best solution. We will re-enable the fetching in 0.6.0.0 when we moved out the federation into its own library and are able to implement further validation during fetches.
# 0.5.7.0 # 0.5.7.0
## Refactor ## Refactor
......
...@@ -40,7 +40,7 @@ module Federated ...@@ -40,7 +40,7 @@ module Federated
end end
def fetch_parent guid def fetch_parent guid
Diaspora::Fetcher::Single.find_or_fetch_from_remote guid, diaspora_handle raise Diaspora::PostNotFetchable
end end
end end
end end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment