Merge branch 'fix/bypass-authorized-fetch-mode-json' into 'develop'

Prevent using a .json format to bypass authorized fetch mode See merge request pleroma/pleroma!3908
2023-06-22 10:35:56 +00:00 · 2023-06-22 10:35:56 +00:00 · 4367579949
commit 4367579949
parent 589301ce06 994bfc4c09
2 changed files with 2 additions and 1 deletions
--- a/changelog.d/prevent-bypassing-authorized-fetch-mode.fix
+++ b/changelog.d/prevent-bypassing-authorized-fetch-mode.fix
@ -0,0 +1 @@
+Prevent using the .json format to bypass authorized fetch mode
--- a/lib/pleroma/web/plugs/http_signature_plug.ex
+++ b/lib/pleroma/web/plugs/http_signature_plug.ex
@ -16,7 +16,7 @@ defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
  end

  def call(conn, _opts) do
-    if get_format(conn) == "activity+json" do
+    if get_format(conn) in ["json", "activity+json"] do
      conn
      |> maybe_assign_valid_signature()
      |> maybe_require_signature()
				`@ -0,0 +1 @@`
				`Prevent using the .json format to bypass authorized fetch mode`