From 0c7731bb763e5e40fe3964691ec32cd175c13f29 Mon Sep 17 00:00:00 2001
From: Harald Eilertsen <haraldei@anduin.net>
Date: Sat, 9 May 2026 18:30:28 +0200
Subject: [PATCH] Improve detecting suspicious ActivityStreams keys

Using string comparison on the whole key does not work, as some keys
will be given prefixes during expansion. We need to check if the payload
has keys that _contain_ the suspicious keywords we're looking for.
---
 Zotlabs/Lib/LDSignatures.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/Zotlabs/Lib/LDSignatures.php b/Zotlabs/Lib/LDSignatures.php
index 190018f4c..6b8bc5c7d 100644
--- a/Zotlabs/Lib/LDSignatures.php
+++ b/Zotlabs/Lib/LDSignatures.php
@@ -156,7 +156,15 @@ class LDSignatures {
 
 		if (is_array($data)) {
 			foreach ($data as $key => $value) {
-				if (in_array($key, $unsafe_keys)) {
+				//
+				// We can't use `in_array` since the keys may contain more than
+				// just the keyword after expansion, typically "_:@included"
+				// for an unnamed node with the "@included" key.
+				//
+				// So we use `array_filter` with a callback instead:
+				$matches = array_filter($unsafe_keys, fn ($k) => strpos($key, $k) !== false);
+
+				if (!empty($matches)) {
 					return true;
 				}