diff options
| author | Haelwenn (lanodan) Monnier <contact@hacktivis.me> | 2020-02-15 00:35:46 +0100 |
|---|---|---|
| committer | Haelwenn (lanodan) Monnier <contact@hacktivis.me> | 2020-02-15 00:36:09 +0100 |
| commit | 1257331291f27b55340a4ccca459a2673f3f37c2 (patch) | |
| tree | 8d54b966b0fbffae541a2e123032c45a3322a9d6 /lib | |
| parent | 5fcee577f9713d9432115f8e3b51c3de2aef6fd0 (diff) | |
| download | pleroma-1257331291f27b55340a4ccca459a2673f3f37c2.tar.gz pleroma-1257331291f27b55340a4ccca459a2673f3f37c2.zip | |
MastodonAPI.StatusView: Do not use site_name
site_name allow to spoof the origin of the domain and so hacks like:
<!-- served on https://hacktivis.me/tmp/joinmastodon.org.html -->
<meta property="og:image" content="https://hacktivis.me/datalove/img/meme/pleroma/mastodon%2C%20forbidden%20amuse%20yourself.jpeg" />
<meta property="og:title" content="Mastodon: Forbidden Amuse Yourself" />
<meta property="og:site_name" content="joinmastodon.org" />
<meta http-equiv="refresh" content="0; url=http://joinmastodon.org/">
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/pleroma/web/mastodon_api/views/status_view.ex | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/lib/pleroma/web/mastodon_api/views/status_view.ex b/lib/pleroma/web/mastodon_api/views/status_view.ex index e1e92034f..d4695c1c6 100644 --- a/lib/pleroma/web/mastodon_api/views/status_view.ex +++ b/lib/pleroma/web/mastodon_api/views/status_view.ex @@ -321,11 +321,9 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do nil end - site_name = rich_media[:site_name] || page_url_data.host - %{ type: "link", - provider_name: site_name, + provider_name: page_url_data.host, provider_url: page_url_data.scheme <> "://" <> page_url_data.host, url: page_url, image: image_url |> MediaProxy.url(), |