From 596a5e4ba29b007dfe66a1485ec498faee708bc4 Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Sun, 28 Apr 2024 23:25:46 -0400 Subject: [PATCH] fix: update signature parsing logic to handle values with equal signs in them, closes #12538 --- src/middleware/activitypub.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/middleware/activitypub.js b/src/middleware/activitypub.js index 0adad036b6d5..247726f38e4c 100644 --- a/src/middleware/activitypub.js +++ b/src/middleware/activitypub.js @@ -76,7 +76,10 @@ middleware.validate = async function (req, res, next) { await activitypub.actors.assert(actor); const compare = await db.getObjectField(`userRemote:${actor}:keys`, 'id'); const { signature } = req.headers; - const keyId = new Map(signature.split(',').filter(Boolean).map(v => v.split('='))).get('keyId'); + const keyId = new Map(signature.split(',').filter(Boolean).map((v) => { + const index = v.indexOf('='); + return [v.substring(0, index), v.slice(index + 1)]; + })).get('keyId'); if (`"${compare}"` !== keyId) { winston.verbose('[middleware/activitypub] Key ownership cross-check failed.'); return res.sendStatus(403);