TheRON/core
1
0
Fork 0
mirror of https://framagit.org/hubzilla/core.git synced 2026-06-21 00:52:33 -04:00
Code Issues Packages Projects Releases Wiki Activity

Improve detecting suspicious ActivityStreams keys

Browse Source 
Using string comparison on the whole key does not work, as some keys
will be given prefixes during expansion. We need to check if the payload
has keys that _contain_ the suspicious keywords we're looking for.
This commit is contained in:
Harald Eilertsen
2026-05-09 18:30:28 +02:00
parent 62582509cd
commit 0c7731bb76
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
Zotlabs/Lib/LDSignatures.php
View File

@@ -156,7 +156,15 @@ class LDSignatures {
if (is_array($data)) {
foreach ($data as $key => $value) {
if (in_array($key, $unsafe_keys)) {
//
// We can't use `in_array` since the keys may contain more than
// just the keyword after expansion, typically "_:@included"
// for an unnamed node with the "@included" key.
//
// So we use `array_filter` with a callback instead:
$matches = array_filter($unsafe_keys, fn ($k) => strpos($key, $k) !== false);
if (!empty($matches)) {
return true;
}