Verify object ID when processing Update(Person) activity

2022-01-03 23:45:18 +00:00 · 2022-01-03 23:45:18 +00:00 · 5dc07c3742
parent d045df4232
commit 5dc07c3742
1 changed files with 3 additions and 0 deletions
--- a/src/activitypub/receiver.rs
+++ b/src/activitypub/receiver.rs
@ -581,6 +581,9 @@ pub async fn receive_activity(
            let actor_value = activity.object.clone();
            let actor: Actor = serde_json::from_value(activity.object)
                .map_err(|_| ValidationError("invalid actor data"))?;
+            if actor.id != activity.actor {
+                return Err(HttpError::ValidationError("actor ID mismatch".into()));
+            };
            let profile = get_profile_by_actor_id(db_client, &actor.id).await?;
            let (avatar, banner) = fetch_avatar_and_banner(&actor, &config.media_dir()).await
                .map_err(|_| ValidationError("failed to fetch image"))?;