Check Webfinger-returned author URI even when not redirected (#5213)

The whole point of verified_webfinger? is to check the WebFinger-discoverable
URI maps back to the known author URI. This was not actually verified if the
first Webfinger request was not a redirection.
This commit is contained in:
ThibG 2017-10-04 09:59:28 +02:00 committed by Eugen Rochko
parent 5b2d855d86
commit dee5c22790

View file

@ -31,7 +31,7 @@ class ActivityPub::FetchRemoteAccountService < BaseService
webfinger = Goldfinger.finger("acct:#{@username}@#{@domain}") webfinger = Goldfinger.finger("acct:#{@username}@#{@domain}")
confirmed_username, confirmed_domain = split_acct(webfinger.subject) confirmed_username, confirmed_domain = split_acct(webfinger.subject)
return true if @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero? return webfinger.link('self')&.href == @uri if @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero?
webfinger = Goldfinger.finger("acct:#{confirmed_username}@#{confirmed_domain}") webfinger = Goldfinger.finger("acct:#{confirmed_username}@#{confirmed_domain}")
@username, @domain = split_acct(webfinger.subject) @username, @domain = split_acct(webfinger.subject)