From 0e1b0f2747af373e3d51251337f40bfff13ef160 Mon Sep 17 00:00:00 2001 From: ThibG Date: Wed, 4 Oct 2017 09:59:28 +0200 Subject: [PATCH] Check Webfinger-returned author URI even when not redirected (#5213) The whole point of verified_webfinger? is to check the WebFinger-discoverable URI maps back to the known author URI. This was not actually verified if the first Webfinger request was not a redirection. --- app/services/activitypub/fetch_remote_account_service.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/services/activitypub/fetch_remote_account_service.rb b/app/services/activitypub/fetch_remote_account_service.rb index e6c6338be5..d6ba625a9a 100644 --- a/app/services/activitypub/fetch_remote_account_service.rb +++ b/app/services/activitypub/fetch_remote_account_service.rb @@ -31,7 +31,7 @@ class ActivityPub::FetchRemoteAccountService < BaseService webfinger = Goldfinger.finger("acct:#{@username}@#{@domain}") confirmed_username, confirmed_domain = split_acct(webfinger.subject) - return true if @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero? + return webfinger.link('self')&.href == @uri if @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero? webfinger = Goldfinger.finger("acct:#{confirmed_username}@#{confirmed_domain}") @username, @domain = split_acct(webfinger.subject)