gnh1201/mastodon
1
0
Fork 0
mirror of https://github.com/mastodon/mastodon.git synced 2025-05-17 07:01:12 +00:00
Code Issues Actions 15 Packages Projects Releases Wiki Activity

Remove double-query for signed query strings (#34610)

Browse Source
This commit is contained in:
Claire 2025-05-05 15:13:08 +02:00
parent 86a8aa5e5c
commit e6a6c26c36
3 changed files with 4 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/lib/http_signature_draft.rb
View File

@ -6,14 +6,13 @@
class HttpSignatureDraft class HttpSignatureDraft
REQUEST_TARGET = '(request-target)' REQUEST_TARGET = '(request-target)'
def initialize(keypair, key_id, full_path: true) def initialize(keypair, key_id)
@keypair = keypair @keypair = keypair
@key_id = key_id @key_id = key_id
@full_path = full_path
end end
def request_target(verb, url) def request_target(verb, url)
if url.query.nil? || !@full_path if url.query.nil?
"#{verb} #{url.path}" "#{verb} #{url.path}"
else else
"#{verb} #{url.path}?#{url.query}" "#{verb} #{url.path}?#{url.query}"

3
app/lib/request.rb
View File

@ -75,7 +75,6 @@ class Request
@url = Addressable::URI.parse(url).normalize @url = Addressable::URI.parse(url).normalize
@http_client = options.delete(:http_client) @http_client = options.delete(:http_client)
@allow_local = options.delete(:allow_local) @allow_local = options.delete(:allow_local)
@full_path = !options.delete(:omit_query_string)
@options = { @options = {
follow: { follow: {
max_hops: 3, max_hops: 3,
@ -102,7 +101,7 @@ class Request
key_id = ActivityPub::TagManager.instance.key_uri_for(actor) key_id = ActivityPub::TagManager.instance.key_uri_for(actor)
keypair = sign_with.present? ? OpenSSL::PKey::RSA.new(sign_with) : actor.keypair keypair = sign_with.present? ? OpenSSL::PKey::RSA.new(sign_with) : actor.keypair
@signing = HttpSignatureDraft.new(keypair, key_id, full_path: @full_path) @signing = HttpSignatureDraft.new(keypair, key_id)
self self
end end

13
app/services/activitypub/fetch_replies_service.rb
View File

@ -37,20 +37,7 @@ class ActivityPub::FetchRepliesService < BaseService
return unless @allow_synchronous_requests return unless @allow_synchronous_requests
return if non_matching_uri_hosts?(@account.uri, collection_or_uri) return if non_matching_uri_hosts?(@account.uri, collection_or_uri)
# NOTE: For backward compatibility reasons, Mastodon signs outgoing
# queries incorrectly by default.
#
# While this is relevant for all URLs with query strings, this is
# the only code path where this happens in practice.
#
# Therefore, retry with correct signatures if this fails.
begin
fetch_resource_without_id_validation(collection_or_uri, nil, true) fetch_resource_without_id_validation(collection_or_uri, nil, true)
rescue Mastodon::UnexpectedResponseError => e
raise unless e.response && e.response.code == 401 && Addressable::URI.parse(collection_or_uri).query.present?
fetch_resource_without_id_validation(collection_or_uri, nil, true, request_options: { omit_query_string: false })
end
end end
def filtered_replies def filtered_replies