Commit 352d732a authored by Dennis Schubert's avatar Dennis Schubert
Browse files

Disable fetching of root posts for relayables

since that could allow fetching spoofed/altered posts
thanks @supertux88
parent 6270e222
# #
This security release disables post fetching for relayables. Due to an insecure implementation, fetching of root posts for relayables could allow an attacker to distribute malicious/spoofed/modified posts for any person.
Disabling the fetching will make the current federation a bit less reliable, but for a hotfix, this is the best solution. We will re-enable the fetching in when we moved out the federation into its own library and are able to implement further validation during fetches.
# #
## Refactor ## Refactor
...@@ -40,7 +40,7 @@ module Federated ...@@ -40,7 +40,7 @@ module Federated
end end
def fetch_parent guid def fetch_parent guid
Diaspora::Fetcher::Single.find_or_fetch_from_remote guid, diaspora_handle raise Diaspora::PostNotFetchable
end end
end end
end end
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment