updated plugin ActivityPub version 3.3.3

2024-10-09 12:44:17 +00:00
parent fb4b27bbc6
commit c54fa007bd
106 changed files with 7070 additions and 2918 deletions
--- a/wp-content/plugins/activitypub/includes/rest/class-server.php
+++ b/wp-content/plugins/activitypub/includes/rest/class-server.php
@ -1,14 +1,19 @@
 <?php
+/**
+ * Server REST-Class file.
+ *
+ * @package Activitypub
+ */
+
 namespace Activitypub\Rest;

-use stdClass;
 use WP_Error;
 use WP_REST_Response;
 use Activitypub\Signature;
 use Activitypub\Model\Application;

 /**
- * ActivityPub Server REST-Class
+ * ActivityPub Server REST-Class.
 *
 * @author Django Doucet
 *
@ -16,11 +21,12 @@ use Activitypub\Model\Application;
 */
 class Server {
 	/**
-	 * Initialize the class, registering WordPress hooks
+	 * Initialize the class, registering WordPress hooks.
 	 */
 	public static function init() {
 		self::register_routes();

+		\add_filter( 'rest_request_before_callbacks', array( self::class, 'validate_activitypub_requests' ), 9, 3 );
 		\add_filter( 'rest_request_before_callbacks', array( self::class, 'authorize_activitypub_requests' ), 10, 3 );
 	}

@ -65,10 +71,10 @@ class Server {
 	 * @see https://www.w3.org/wiki/SocialCG/ActivityPub/Primer/Authentication_Authorization#Authorized_fetch
 	 * @see https://swicg.github.io/activitypub-http-signature/#authorized-fetch
 	 *
-	 * @param WP_REST_Response|WP_HTTP_Response|WP_Error|mixed $response Result to send to the client.
-	 *                                                                   Usually a WP_REST_Response or WP_Error.
-	 * @param array                                            $handler  Route handler used for the request.
-	 * @param WP_REST_Request                                  $request  Request used to generate the response.
+	 * @param WP_REST_Response|\WP_HTTP_Response|WP_Error|mixed $response Result to send to the client.
+	 *                                                                    Usually a WP_REST_Response or WP_Error.
+	 * @param array                                             $handler  Route handler used for the request.
+	 * @param \WP_REST_Request                                  $request  Request used to generate the response.
 	 *
 	 * @return mixed|WP_Error The response, error, or modified response.
 	 */
@ -77,9 +83,13 @@ class Server {
 			return $response;
 		}

+		if ( \is_wp_error( $response ) ) {
+			return $response;
+		}
+
 		$route = $request->get_route();

-		// check if it is an activitypub request and exclude webfinger and nodeinfo endpoints
+		// Check if it is an activitypub request and exclude webfinger and nodeinfo endpoints.
 		if (
 			! \str_starts_with( $route, '/' . ACTIVITYPUB_REST_NAMESPACE ) ||
 			\str_starts_with( $route, '/' . \trailingslashit( ACTIVITYPUB_REST_NAMESPACE ) . 'webfinger' ) ||
@ -90,13 +100,13 @@ class Server {
 		}

 		/**
-		 * Filter to defer signature verification
+		 * Filter to defer signature verification.
 		 *
 		 * Skip signature verification for debugging purposes or to reduce load for
 		 * certain Activity-Types, like "Delete".
 		 *
-		 * @param bool            $defer   Whether to defer signature verification.
-		 * @param WP_REST_Request $request The request used to generate the response.
+		 * @param bool             $defer   Whether to defer signature verification.
+		 * @param \WP_REST_Request $request The request used to generate the response.
 		 *
 		 * @return bool Whether to defer signature verification.
 		 */
@ -107,9 +117,9 @@ class Server {
 		}

 		if (
-			// POST-Requests are always signed
+			// POST-Requests are always signed.
 			'GET' !== $request->get_method() ||
-			// GET-Requests only require a signature in secure mode
+			// GET-Requests only require a signature in secure mode.
 			( 'GET' === $request->get_method() && ACTIVITYPUB_AUTHORIZED_FETCH )
 		) {
 			$verified_request = Signature::verify_http_signature( $request );
@ -124,4 +134,51 @@ class Server {

 		return $response;
 	}
+
+	/**
+	 * Callback function to validate incoming ActivityPub requests
+	 *
+	 * @param WP_REST_Response|\WP_HTTP_Response|WP_Error|mixed $response Result to send to the client.
+	 *                                                                    Usually a WP_REST_Response or WP_Error.
+	 * @param array                                             $handler  Route handler used for the request.
+	 * @param \WP_REST_Request                                  $request  Request used to generate the response.
+	 *
+	 * @return mixed|WP_Error The response, error, or modified response.
+	 */
+	public static function validate_activitypub_requests( $response, $handler, $request ) {
+		if ( 'HEAD' === $request->get_method() ) {
+			return $response;
+		}
+
+		$route = $request->get_route();
+
+		if (
+			\is_wp_error( $response ) ||
+			! \str_starts_with( $route, '/' . ACTIVITYPUB_REST_NAMESPACE )
+		) {
+			return $response;
+		}
+
+		$params = $request->get_json_params();
+
+		// Type is required for ActivityPub requests, so it fail later in the process.
+		if ( ! isset( $params['type'] ) ) {
+			return $response;
+		}
+
+		if (
+			ACTIVITYPUB_DISABLE_INCOMING_INTERACTIONS &&
+			in_array( $params['type'], array( 'Create', 'Like', 'Announce' ), true )
+		) {
+			return new WP_Error(
+				'activitypub_server_does_not_accept_incoming_interactions',
+				\__( 'This server does not accept incoming interactions.', 'activitypub' ),
+				// We have to use a 2XX status code here, because otherwise the response will be
+				// treated as an error and Mastodon might block this WordPress instance.
+				array( 'status' => 202 )
+			);
+		}
+
+		return $response;
+	}
 }