all repos — honk @ 0974e669a03327ccd4192421272bdc227ba46ed3

my fork of honk

add better origin checks for all activities
Ted Unangst tedu@tedunangst.com
Tue, 21 May 2019 13:56:15 -0400
commit

0974e669a03327ccd4192421272bdc227ba46ed3

parent

f9fb2c73760045569f460dac473454ccfb4ea049

3 files changed, 26 insertions(+), 17 deletions(-)

jump to
M activity.goactivity.go

@@ -270,12 +270,6 @@

func savexonk(user *WhatAbout, x *Honk) { if x.What == "eradicate" { log.Printf("eradicating %s by %s", x.RID, x.Honker) - mh := re_unurl.FindStringSubmatch(x.Honker) - mr := re_unurl.FindStringSubmatch(x.RID) - if len(mh) < 2 || len(mr) < 2 || mh[1] != mr[1] { - log.Printf("not deleting owner mismatch") - return - } xonk := getxonk(user.ID, x.RID) if xonk != nil { stmtZonkDonks.Exec(xonk.ID)

@@ -382,6 +376,7 @@ log.Printf("err: %s", err)

continue } t, _ := jsongetstring(j, "type") + origin := originate(f.XID) if t == "OrderedCollection" { items, _ := jsongetarray(j, "orderedItems") if items == nil {

@@ -395,7 +390,7 @@ items, _ = jsongetarray(j, "orderedItems")

} for _, item := range items { - xonk := xonkxonk(user, item) + xonk := xonkxonk(user, item, origin) if xonk != nil { savexonk(user, xonk) }

@@ -434,10 +429,10 @@ }

return a } -func xonkxonk(user *WhatAbout, item interface{}) *Honk { +func xonkxonk(user *WhatAbout, item interface{}, origin string) *Honk { depth := 0 maxdepth := 4 - var xonkxonkfn func(item interface{}) *Honk + var xonkxonkfn func(item interface{}, origin string) *Honk saveoneup := func(xid string) { log.Printf("getting oneup: %s", xid)

@@ -451,14 +446,14 @@ log.Printf("error getting oneup: %s", err)

return } depth++ - xonk := xonkxonkfn(obj) + xonk := xonkxonkfn(obj, originate(xid)) if xonk != nil { savexonk(user, xonk) } depth-- } - xonkxonkfn = func(item interface{}) *Honk { + xonkxonkfn = func(item interface{}, origin string) *Honk { // id, _ := jsongetstring(item, "id") what, _ := jsongetstring(item, "type") dt, _ := jsongetstring(item, "published")

@@ -484,6 +479,7 @@ obj, err = GetJunk(xid)

if err != nil { log.Printf("error regetting: %s", err) } + origin = originate(xid) what = "bonk" case "Create": obj, _ = jsongetmap(item, "object")

@@ -579,6 +575,10 @@ }

} } } + if originate(xid) != origin { + log.Printf("original sin: %s <> %s", xid, origin) + return nil + } audience = append(audience, who) audience = oneofakind(audience)

@@ -610,7 +610,7 @@ }

return nil } - return xonkxonkfn(item) + return xonkxonkfn(item, origin) } func rubadubdub(user *WhatAbout, req map[string]interface{}) {
M fun.gofun.go

@@ -252,6 +252,14 @@ }

var re_unurl = regexp.MustCompile("https://([^/]+).*/([^/]+)") +func originate(u string) string { + m := re_unurl.FindStringSubmatch(u) + if len(m) > 2 { + return m[1] + } + return "" +} + func honkerhandle(h string) string { m := re_unurl.FindStringSubmatch(h) if len(m) > 2 {

@@ -427,14 +435,14 @@ }

return false } -func keymatch(keyname string, actor string, what string, userid int64) bool { +func keymatch(keyname string, actor string) string { hash := strings.IndexByte(keyname, '#') if hash == -1 { hash = len(keyname) } owner := keyname[0:hash] if owner == actor { - return true + return originate(actor) } - return false + return "" }
M honk.gohonk.go

@@ -304,7 +304,8 @@ if what == "Like" {

return } who, _ := jsongetstring(j, "actor") - if !keymatch(keyname, who, what, user.ID) { + origin := keymatch(keyname, who) + if origin == "" { log.Printf("keyname actor mismatch: %s <> %s", keyname, who) return }

@@ -357,7 +358,7 @@ log.Printf("unknown undo: %s", what)

} } default: - xonk := xonkxonk(user, j) + xonk := xonkxonk(user, j, origin) if xonk != nil { savexonk(user, xonk) }