diff options
| author | Haelwenn <contact+git.pleroma.social@hacktivis.me> | 2023-06-22 10:35:56 +0000 |
|---|---|---|
| committer | Haelwenn <contact+git.pleroma.social@hacktivis.me> | 2023-06-22 10:35:56 +0000 |
| commit | 436757994944b142ba9716432bcac54b83fc1fef (patch) | |
| tree | 68fef33de9f83cd0a9a0e86635e101ff9f003853 | |
| parent | 589301ce0655c5a31d037f27fc1767e6dffb5381 (diff) | |
| parent | 994bfc4c095fae07cd1c61b0f91c80ec60080138 (diff) | |
| download | pleroma-436757994944b142ba9716432bcac54b83fc1fef.tar.gz pleroma-436757994944b142ba9716432bcac54b83fc1fef.zip | |
Merge branch 'fix/bypass-authorized-fetch-mode-json' into 'develop'
Prevent using a .json format to bypass authorized fetch mode
See merge request pleroma/pleroma!3908
| -rw-r--r-- | changelog.d/prevent-bypassing-authorized-fetch-mode.fix | 1 | ||||
| -rw-r--r-- | lib/pleroma/web/plugs/http_signature_plug.ex | 2 |
2 files changed, 2 insertions, 1 deletions
diff --git a/changelog.d/prevent-bypassing-authorized-fetch-mode.fix b/changelog.d/prevent-bypassing-authorized-fetch-mode.fix new file mode 100644 index 000000000..12f7260d7 --- /dev/null +++ b/changelog.d/prevent-bypassing-authorized-fetch-mode.fix @@ -0,0 +1 @@ +Prevent using the .json format to bypass authorized fetch mode
\ No newline at end of file diff --git a/lib/pleroma/web/plugs/http_signature_plug.ex b/lib/pleroma/web/plugs/http_signature_plug.ex index 4bf325218..e814efc2c 100644 --- a/lib/pleroma/web/plugs/http_signature_plug.ex +++ b/lib/pleroma/web/plugs/http_signature_plug.ex @@ -16,7 +16,7 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do end def call(conn, _opts) do - if get_format(conn) == "activity+json" do + if get_format(conn) in ["json", "activity+json"] do conn |> maybe_assign_valid_signature() |> maybe_require_signature() |