comments to remote posts are federated with activity ids pointing at the remote instance #1161
ラベル
ラベルなし
A: API
A: Backend
A: Federation
A: Front-End
A: I18N
A: Meta
A: Security
Build
C: Bug
C: Discussion
C: Enhancement
C: Feature
Compatibility
Dependency
Design
Documentation
Good first issue
Help welcome
Mobile
Rendering
S: Blocked
S: Duplicate
S: Incomplete
S: Instance specific
S: Invalid
S: Needs Voting/Discussion
S: Ready for review
Suggestion
S: Voted on Loomio
S: Wontfix
マイルストーンなし
プロジェクトなし
担当者なし
1 人の参加者
通知
期日
期日は未設定です。
依存関係
依存関係が設定されていません。
リファレンス: Plume/Plume#1161
読み込み中…
Add table
新しいイシューから参照
説明はありません。
ブランチ "%!s()" の削除
ブランチの削除は恒久的です。 実際に削除されるまでの短い期間、ブランチが存在したままになることもありますが、たいていは元に戻すことはできません。 続行しますか?
Hello!
While inspecting logs of an unrelated fediverse instance, we noticed a mismatch between the host in the signer's URL, and the host in the activity id, with the signature belonging to
https://fediverse.blog/@/someone/but the activity identifying itself ashttps://writeworks.uk/~/someblog/somepost//comment/12345This looked like an impersonation attempt (the signer pretending to be a writeworks account), and it was consequently discarded by our instance.
Looking into your source code, I believe the cause of the problem to be in https://git.joinplu.me/Plume/Plume/src/branch/main/plume-models/src/comments.rs#L64-L69 where it generates the URL for the comment based on the URL for the post being commented on. Which is fine when commenting on local posts, but generates nonsensical URLs when the post is remote: it's mashing a remote base URL with a locally-generated primary key. The generated AP URL needs to be under the hostname of the local instance, and should ideally be resolvable to the contents of the comment itself.
(please note that my knowledge of Rust is very rudimentary, and I had never looked at your codebase before now, so I can't really provide a fix…)