diff options
| -rw-r--r-- | lib/pleroma/object/containment.ex | 2 | ||||
| -rw-r--r-- | lib/pleroma/web/static_fe/static_fe_controller.ex | 5 | ||||
| -rw-r--r-- | test/object/containment_test.exs | 10 | ||||
| -rw-r--r-- | test/web/static_fe/static_fe_controller_test.exs | 4 |
4 files changed, 19 insertions, 2 deletions
diff --git a/lib/pleroma/object/containment.ex b/lib/pleroma/object/containment.ex index a1f9c1250..25aa32f60 100644 --- a/lib/pleroma/object/containment.ex +++ b/lib/pleroma/object/containment.ex @@ -64,6 +64,8 @@ defmodule Pleroma.Object.Containment do def contain_origin(id, %{"attributedTo" => actor} = params), do: contain_origin(id, Map.put(params, "actor", actor)) + def contain_origin(_id, _data), do: :error + def contain_origin_from_id(id, %{"id" => other_id} = _params) when is_binary(other_id) do id_uri = URI.parse(id) other_uri = URI.parse(other_id) diff --git a/lib/pleroma/web/static_fe/static_fe_controller.ex b/lib/pleroma/web/static_fe/static_fe_controller.ex index 5e60c82b0..ba44b8a4f 100644 --- a/lib/pleroma/web/static_fe/static_fe_controller.ex +++ b/lib/pleroma/web/static_fe/static_fe_controller.ex @@ -77,6 +77,11 @@ defmodule Pleroma.Web.StaticFE.StaticFEController do render(conn, "conversation.html", %{activities: timeline, meta: meta}) else + %Activity{object: %Object{data: data}} -> + conn + |> put_status(:found) + |> redirect(external: data["url"] || data["external_url"] || data["id"]) + _ -> conn |> put_status(404) diff --git a/test/object/containment_test.exs b/test/object/containment_test.exs index 71fe5204c..7636803a6 100644 --- a/test/object/containment_test.exs +++ b/test/object/containment_test.exs @@ -17,6 +17,16 @@ defmodule Pleroma.Object.ContainmentTest do end describe "general origin containment" do + test "works for completely actorless posts" do + assert :error == + Containment.contain_origin("https://glaceon.social/users/monorail", %{ + "deleted" => "2019-10-30T05:48:50.249606Z", + "formerType" => "Note", + "id" => "https://glaceon.social/users/monorail/statuses/103049757364029187", + "type" => "Tombstone" + }) + end + test "contain_origin_from_id() catches obvious spoofing attempts" do data = %{ "id" => "http://example.com/~alyssa/activities/1234.json" diff --git a/test/web/static_fe/static_fe_controller_test.exs b/test/web/static_fe/static_fe_controller_test.exs index effdfbeb3..b8fb67b22 100644 --- a/test/web/static_fe/static_fe_controller_test.exs +++ b/test/web/static_fe/static_fe_controller_test.exs @@ -151,7 +151,7 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do assert html_response(conn, 404) =~ "not found" end - test "404 for remote cached status", %{conn: conn} do + test "302 for remote cached status", %{conn: conn} do user = insert(:user) message = %{ @@ -175,7 +175,7 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do |> put_req_header("accept", "text/html") |> get("/notice/#{activity.id}") - assert html_response(conn, 404) =~ "not found" + assert html_response(conn, 302) =~ "redirected" end end end |