sam/pleroma
sam/pleroma
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Do not hardcode path to the user used for signed fetches spoofing

Browse source
This commit is contained in:
Mint 2023-01-31 01:36:25 +03:00 committed by Sam Therapy
parent 77f28a4c91
commit dceebaed41
Signed by: sam
GPG key ID: 4D8B07C18F31ACBD
2 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
config/config.exs
View file

@ -370,7 +370,7 @@
overwrite this with your internal.fetch key rippen from donor instance DB
yes, just like that, newlines are important
-----END RSA PRIVATE KEY-----",
spoofed_instance: "https://funnydomain.example",
spoofed_user: "https://funnydomain.example/internal/fetch",
max_collection_objects: 50
config :pleroma, :streamer,

4
lib/pleroma/object/fetcher.ex
View file

@ -215,10 +215,10 @@ defp make_signature(id, date) do
else
""
end
spoofed_instance = Pleroma.Config.get([:activitypub, :spoofed_instance])
spoofed_user = Pleroma.Config.get([:activitypub, :spoofed_user])
signature = if Pleroma.Config.get([:activitypub, :spoof_object_fetch_signatures]) do
HTTPSignatures.sign(spoofed_key, spoofed_instance <> "/internal/fetch#main-key", %{
HTTPSignatures.sign(spoofed_key, spoofed_user <> "#main-key", %{
"(request-target)": "get #{uri.path}",
host: uri.host,
date: date