Merge pull request #4930 from pixelfed/staging

Staging

CHANGELOG.md

@@ -7,6 +7,7 @@
 - Update ApiV1Controller, fix network timeline ([0faf59e3](https://github.com/pixelfed/pixelfed/commit/0faf59e3))
 - Update public/network timelines, fix non-redis response and fix reblogs in home feed ([8b4ac5cc](https://github.com/pixelfed/pixelfed/commit/8b4ac5cc))
 - Update Federation, use proper Content-Type headers for following/follower collections ([fb0bb9a3](https://github.com/pixelfed/pixelfed/commit/fb0bb9a3))
+- Update ActivityPubFetchService, enforce stricter Content-Type validation ([1232cfc8](https://github.com/pixelfed/pixelfed/commit/1232cfc8))
 -  ([](https://github.com/pixelfed/pixelfed/commit/))
 
 ## [v0.11.11 (2024-02-09)](https://github.com/pixelfed/pixelfed/compare/v0.11.10...v0.11.11)

app/Services/ActivityPubFetchService.php

@@ -11,38 +11,61 @@ use Illuminate\Http\Client\RequestException;
 
 class ActivityPubFetchService
 {
-	public static function get($url, $validateUrl = true)
-	{
+    public static function get($url, $validateUrl = true)
+    {
         if($validateUrl === true) {
-    		if(!Helpers::validateUrl($url)) {
-    			return 0;
-    		}
+            if(!Helpers::validateUrl($url)) {
+                return 0;
+            }
         }
 
-		$baseHeaders = [
-			'Accept' => 'application/activity+json, application/ld+json',
-		];
-
-		$headers = HttpSignature::instanceActorSign($url, false, $baseHeaders, 'get');
-		$headers['Accept'] = 'application/activity+json, application/ld+json';
-		$headers['User-Agent'] = 'PixelFedBot/1.0.0 (Pixelfed/'.config('pixelfed.version').'; +'.config('app.url').')';
-
-		try {
-			$res = Http::withOptions(['allow_redirects' => false])->withHeaders($headers)
-				->timeout(30)
-				->connectTimeout(5)
-				->retry(3, 500)
-				->get($url);
-		} catch (RequestException $e) {
-			return;
-		} catch (ConnectionException $e) {
-			return;
-		} catch (Exception $e) {
-			return;
-		}
-		if(!$res->ok()) {
-			return;
-		}
-		return $res->body();
-	}
+        $baseHeaders = [
+            'Accept' => 'application/activity+json, application/ld+json',
+        ];
+
+        $headers = HttpSignature::instanceActorSign($url, false, $baseHeaders, 'get');
+        $headers['Accept'] = 'application/activity+json, application/ld+json';
+        $headers['User-Agent'] = 'PixelFedBot/1.0.0 (Pixelfed/'.config('pixelfed.version').'; +'.config('app.url').')';
+
+        try {
+            $res = Http::withOptions(['allow_redirects' => false])
+                ->withHeaders($headers)
+                ->timeout(30)
+                ->connectTimeout(5)
+                ->retry(3, 500)
+                ->get($url);
+        } catch (RequestException $e) {
+            return;
+        } catch (ConnectionException $e) {
+            return;
+        } catch (Exception $e) {
+            return;
+        }
+
+        if(!$res->ok()) {
+            return;
+        }
+
+        if(!$res->hasHeader('Content-Type')) {
+            return;
+        }
+
+        $acceptedTypes = [
+            'application/activity+json; charset=utf-8',
+            'application/activity+json',
+            'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'
+        ];
+
+        $contentType = $res->getHeader('Content-Type')[0];
+
+        if(!$contentType) {
+            return;
+        }
+
+        if(!in_array($contentType, $acceptedTypes)) {
+            return;
+        }
+
+        return $res->body();
+    }
 }