From 607a5488d6a38d3f4d5889f5d9e4be5c2893cc36 Mon Sep 17 00:00:00 2001
From: Mario <mario@mariovavti.com>
Date: Mon, 18 May 2026 19:06:06 +0000
Subject: [PATCH] Improve detecting suspicious ActivityStreams keys

Using string comparison on the whole key does not work, as some keys
will be given prefixes during expansion. We need to check if the payload
has keys that _contain_ the suspicious keywords we're looking for.


(cherry picked from commit 0c7731bb763e5e40fe3964691ec32cd175c13f29)

Co-authored-by: Harald Eilertsen <haraldei@anduin.net>
---
 Zotlabs/Lib/LDSignatures.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/Zotlabs/Lib/LDSignatures.php b/Zotlabs/Lib/LDSignatures.php
index 190018f4c..6b8bc5c7d 100644
--- a/Zotlabs/Lib/LDSignatures.php
+++ b/Zotlabs/Lib/LDSignatures.php
@@ -156,7 +156,15 @@ class LDSignatures {
 
 		if (is_array($data)) {
 			foreach ($data as $key => $value) {
-				if (in_array($key, $unsafe_keys)) {
+				//
+				// We can't use `in_array` since the keys may contain more than
+				// just the keyword after expansion, typically "_:@included"
+				// for an unnamed node with the "@included" key.
+				//
+				// So we use `array_filter` with a callback instead:
+				$matches = array_filter($unsafe_keys, fn ($k) => strpos($key, $k) !== false);
+
+				if (!empty($matches)) {
 					return true;
 				}