gitea/nas
1
0
Fork 2
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Fix: フレンドサーバー申請時、ドメインを偽装して無関係のInboxを指定できる脆弱性 (#933)

Browse source
This commit is contained in:
KMY(雪あすか) 2024-12-04 08:15:13 +09:00 committed by GitHub
parent d3383fb188
commit 44bd33a3f4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 20 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

1
app/models/friend_domain.rb
View file

@ -116,6 +116,7 @@ class FriendDomain < ApplicationRecord
object: ActivityPub::TagManager::COLLECTIONS[:public],
# Cannot use inbox_url method because this model also has inbox_url column
# This is deprecated property. Newer version's kmyblue will ignore it.
inboxUrl: "https://#{Rails.configuration.x.web_domain}/inbox",
}
end