Merge pull request #3364 from pixelfed/staging

Staging

CHANGELOG.md

@@ -122,6 +122,8 @@
 - Updated DiscoverController, improve tag feed performance. ([d8ff40eb](https://github.com/pixelfed/pixelfed/commit/d8ff40eb))
 - Updated ApiV1Controller, fix timeline pagination. ([a5cdc28b](https://github.com/pixelfed/pixelfed/commit/a5cdc28b))
 - Updated ApiV1Controller, add missing pagination header. ([5649873a](https://github.com/pixelfed/pixelfed/commit/5649873a))
+- Updated CollectionController, limit unpublished collections to owner. ([a0061eb5](https://github.com/pixelfed/pixelfed/commit/a0061eb5))
+- Updated AP Inbox, fixes #3332. ([f8931dc7](https://github.com/pixelfed/pixelfed/commit/f8931dc7))
 -  ([](https://github.com/pixelfed/pixelfed/commit/))
 
 ## [v0.11.2 (2022-01-09)](https://github.com/pixelfed/pixelfed/compare/v0.11.1...v0.11.2)

app/Jobs/InboxPipeline/InboxValidator.php

@@ -167,9 +167,8 @@ class InboxValidator implements ShouldQueue
             && is_array($bodyDecoded['object'])
             && isset($bodyDecoded['object']['attributedTo'])
         ) {
-            if(parse_url($bodyDecoded['object']['attributedTo'], PHP_URL_HOST) !== $keyDomain) {
+            if(parse_url(Helpers::pluckval($bodyDecoded['object']['attributedTo']), PHP_URL_HOST) !== $keyDomain) {
                 return;
-                abort(400, 'Invalid request');
             }
         }
         if(!$keyDomain || !$idDomain || $keyDomain !== $idDomain) {
@@ -178,7 +177,7 @@ class InboxValidator implements ShouldQueue
         }
         $actor = Profile::whereKeyId($keyId)->first();
         if(!$actor) {
-            $actorUrl = is_array($bodyDecoded['actor']) ? $bodyDecoded['actor'][0] : $bodyDecoded['actor'];
+            $actorUrl = Helpers::pluckval($bodyDecoded['actor']);
             $actor = Helpers::profileFirstOrNew($actorUrl);
         }
         if(!$actor) {

app/Jobs/InboxPipeline/InboxWorker.php

@@ -157,7 +157,7 @@ class InboxWorker implements ShouldQueue
             && is_array($bodyDecoded['object'])
             && isset($bodyDecoded['object']['attributedTo'])
         ) {
-            if(parse_url($bodyDecoded['object']['attributedTo'], PHP_URL_HOST) !== $keyDomain) {
+            if(parse_url(Helpers::pluckval($bodyDecoded['object']['attributedTo']), PHP_URL_HOST) !== $keyDomain) {
                 return;
             }
         }
@@ -166,7 +166,7 @@ class InboxWorker implements ShouldQueue
         }
         $actor = Profile::whereKeyId($keyId)->first();
         if(!$actor) {
-            $actorUrl = is_array($bodyDecoded['actor']) ? $bodyDecoded['actor'][0] : $bodyDecoded['actor'];
+            $actorUrl = Helpers::pluckval($bodyDecoded['actor']);
             $actor = Helpers::profileFirstOrNew($actorUrl);
         }
         if(!$actor) {

app/Util/ActivityPub/Inbox.php

@@ -623,7 +623,10 @@ class Inbox
 					break;
 
 				case 'Tombstone':
-						$profile = Helpers::profileFetch($actor);
+						$profile = Profile::whereRemoteUrl($actor)->first();
+						if(!$profile || $profile->private_key != null) {
+							return;
+						}
 						$status = Status::whereProfileId($profile->id)
 							->whereUri($id)
 							->orWhere('url', $id)