diff options
| -rw-r--r-- | changelog.d/prevent-bypassing-authorized-fetch-mode.fix | 1 | ||||
| -rw-r--r-- | lib/pleroma/web/plugs/http_signature_plug.ex | 2 |
2 files changed, 2 insertions, 1 deletions
diff --git a/changelog.d/prevent-bypassing-authorized-fetch-mode.fix b/changelog.d/prevent-bypassing-authorized-fetch-mode.fix new file mode 100644 index 000000000..12f7260d7 --- /dev/null +++ b/changelog.d/prevent-bypassing-authorized-fetch-mode.fix @@ -0,0 +1 @@ +Prevent using the .json format to bypass authorized fetch mode
\ No newline at end of file diff --git a/lib/pleroma/web/plugs/http_signature_plug.ex b/lib/pleroma/web/plugs/http_signature_plug.ex index 4bf325218..e814efc2c 100644 --- a/lib/pleroma/web/plugs/http_signature_plug.ex +++ b/lib/pleroma/web/plugs/http_signature_plug.ex @@ -16,7 +16,7 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do end def call(conn, _opts) do - if get_format(conn) == "activity+json" do + if get_format(conn) in ["json", "activity+json"] do conn |> maybe_assign_valid_signature() |> maybe_require_signature() |