TheRON/core
1
0
Fork 0
mirror of https://framagit.org/hubzilla/core.git synced 2026-06-21 00:52:33 -04:00
Code Issues Packages Projects Releases Wiki Activity

Improve detecting suspicious ActivityStreams keys

Browse Source 
Using string comparison on the whole key does not work, as some keys
will be given prefixes during expansion. We need to check if the payload
has keys that _contain_ the suspicious keywords we're looking for.


(cherry picked from commit 0c7731bb76)

Co-authored-by: Harald Eilertsen <haraldei@anduin.net>
This commit is contained in:
Mario
2026-05-18 19:06:06 +00:00
parent 519b52ccdc
commit 607a5488d6
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
Zotlabs/Lib/LDSignatures.php
View File

@@ -156,7 +156,15 @@ class LDSignatures {
if (is_array($data)) {
foreach ($data as $key => $value) {
if (in_array($key, $unsafe_keys)) {
//
// We can't use `in_array` since the keys may contain more than
// just the keyword after expansion, typically "_:@included"
// for an unnamed node with the "@included" key.
//
// So we use `array_filter` with a callback instead:
$matches = array_filter($unsafe_keys, fn ($k) => strpos($key, $k) !== false);
if (!empty($matches)) {
return true;
}