Skip to content
Snippets Groups Projects

Compact LD-signed activities against well-known context

Merged dakkar requested to merge feature/stricter-json-ld-signature-check into develop

What does this PR do?

This is a fix for a possible spoofing attack. See also https://nvd.nist.gov/vuln/detail/CVE-2022-24307 for Mastodon, https://iceshrimp.dev/iceshrimp/iceshrimp/commit/febb499fcb5fe3d56ca79025e4b5851464660c38 from Iceshrimp and https://firefish.dev/firefish/firefish/-/commit/e790d6be90dfd5dc6471b650a54520761bb9d745 for Firefish

Thanks to @tesaguri@fedibird.com for reporting and providing the patch.

I have compiled this, and the backend tests still run, but proper testing requires talking to other instances… we should deploy this to dev.joinsharkey.com and test it!

Contribution Guidelines By submitting this merge request, you agree to follow our Contribution Guidelines

  • I agree to follow this project's Contribution Guidelines
  • I have made sure to test this pull request

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
Please register or sign in to reply
Loading