summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorHaelwenn (lanodan) Monnier <contact@hacktivis.me>2020-02-15 00:35:46 +0100
committerHaelwenn (lanodan) Monnier <contact@hacktivis.me>2020-02-15 00:36:09 +0100
commit1257331291f27b55340a4ccca459a2673f3f37c2 (patch)
tree8d54b966b0fbffae541a2e123032c45a3322a9d6 /lib
parent5fcee577f9713d9432115f8e3b51c3de2aef6fd0 (diff)
downloadpleroma-1257331291f27b55340a4ccca459a2673f3f37c2.tar.gz
pleroma-1257331291f27b55340a4ccca459a2673f3f37c2.zip
MastodonAPI.StatusView: Do not use site_name
site_name allow to spoof the origin of the domain and so hacks like: <!-- served on https://hacktivis.me/tmp/joinmastodon.org.html --> <meta property="og:image" content="https://hacktivis.me/datalove/img/meme/pleroma/mastodon%2C%20forbidden%20amuse%20yourself.jpeg" /> <meta property="og:title" content="Mastodon: Forbidden Amuse Yourself" /> <meta property="og:site_name" content="joinmastodon.org" /> <meta http-equiv="refresh" content="0; url=http://joinmastodon.org/">
Diffstat (limited to 'lib')
-rw-r--r--lib/pleroma/web/mastodon_api/views/status_view.ex4
1 files changed, 1 insertions, 3 deletions
diff --git a/lib/pleroma/web/mastodon_api/views/status_view.ex b/lib/pleroma/web/mastodon_api/views/status_view.ex
index e1e92034f..d4695c1c6 100644
--- a/lib/pleroma/web/mastodon_api/views/status_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/status_view.ex
@@ -321,11 +321,9 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
nil
end
- site_name = rich_media[:site_name] || page_url_data.host
-
%{
type: "link",
- provider_name: site_name,
+ provider_name: page_url_data.host,
provider_url: page_url_data.scheme <> "://" <> page_url_data.host,
url: page_url,
image: image_url |> MediaProxy.url(),