mirror of
https://akkoma.dev/AkkomaGang/akkoma.git
synced 2024-12-26 02:40:18 +00:00
c4cf4d7f0b
Such redirects on AP queries seem most likely to be a spoofing attempt. If the object is legit, the id should match the final domain anyway and users can directly use the canonical URL. The lack of such a check (and use of the initially queried domain’s authority instead of the final domain) was enabling the current exploit to even affect instances which already migrated away from a same-domain upload/proxy setup in the past, but retained a redirect to not break old attachments. (In theory this redirect could, with some effort, have been limited to only old files, but common guides employed a catch-all redirect, which allows even future uploads to be reachable via an initial query to the main domain) Same-domain redirects are valid and also used by ourselves, e.g. for redirecting /notice/XXX to /objects/YYY. |
||
---|---|---|
.. | ||
containment_test.exs | ||
fetcher_test.exs | ||
pruner_test.exs | ||
updater_test.exs |