|
|
@@ -191,6 +191,14 @@ XML;
|
|
|
$id = Helpers::validateUrl($bodyDecoded['id']);
|
|
|
$keyDomain = parse_url($keyId, PHP_URL_HOST);
|
|
|
$idDomain = parse_url($id, PHP_URL_HOST);
|
|
|
+ if(isset($bodyDecoded['object'])
|
|
|
+ && is_array($bodyDecoded['object'])
|
|
|
+ && isset($bodyDecoded['object']['attributedTo'])
|
|
|
+ ) {
|
|
|
+ if(parse_url($bodyDecoded['object']['attributedTo'], PHP_URL_HOST) !== $idDomain) {
|
|
|
+ abort(400, 'Invalid request');
|
|
|
+ }
|
|
|
+ }
|
|
|
if(!$keyDomain || !$idDomain || $keyDomain !== $idDomain) {
|
|
|
abort(400, 'Invalid request');
|
|
|
}
|
Daniel Supernault