Please sign in to comment.
[SECURITY FIX] please update your pod ASAP
This is a fix for public messages, where a malicious pod could spoof a message from someone a user was connected to, as the verified signatures were not checked that the object was also from said sender. This hole only affected public messages, and the private part of code had the correct checks THX to s-f-s(Stephan Schulz) for reporting and tracking down this issue, and props to Raven24(email@example.com) for helping me test the patch
- Loading branch information...
Showing with 67 additions and 25 deletions.
- +1 −5 db/schema.rb
- +1 −1 lib/federation_logger.rb
- +7 −0 lib/postzord/receiver.rb
- +11 −17 lib/postzord/receiver/private.rb
- +18 −0 lib/postzord/receiver/public.rb
- +20 −1 spec/integration/attack_vectors_spec.rb
- +5 −1 spec/lib/postzord/receiver/public_spec.rb