Add rspec to further specify FollowRemoteAccountService #2414
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request is a follow-up to #2147 to further specify the intended behavior of FollowRemoteAccountService and make sure it prevents hijacking remote accounts using webfinger, while still following legitimate redirections.
To give a bit more background, webfinger queries for an “acct:” URI are not required to return a response with the same “acct:” URI as subject. This allows some form of redirection (user a@example.com is now called b@example.com, or has moved to a@example.org).
However, until #2147 was merged, Mastodon would take the returned subject “acct:” URI as the actual ID of the remote account, even if it didn't match the requested “acct:” URI, making it possible for attackers to create or overwrite a remote account for a domain they do not control.