federation v0.14.1 released
This release includes an important #Diaspora #protocol related #security fix adding checks so that payloads cannot be sent with objects referencing another identity. Basically this means that a post payload has to have the same author in the object as it has as the sender. The exception is relayables, which are commonly sent by someone else and authored by another person. This the patch release since the latter had to be fixed due to regression.
federation is a #Python library that offers the Diaspora protocol via an opinionated API, aiming to combine multiple protocols under one API in the future.
[0.14.1] - 2017-08-06
- Fix regression in handling Diaspora relayables due to security fix in 0.14.0. Payload and entity handle need to be allowed to be different when handling relayables.
[0.14.0] - 2017-08-06
Add proper checks to make sure Diaspora protocol payload handle and entity handle are the same. Even though we already verified the signature of the sender, we didn't ensure that the sender isn't trying to fake an entity authored by someone else.
The Diaspora protocol functions
element_to_objectsnow require a new parameter, the payload sender handle. These functions should normally not be needed to be used directly.
Breaking change. The high level
handle_create_payloadsignatures have been changed. This has been done to better represent the objects that are actually sent in and to add an optional
For both functions the
from_userparameter has been renamed to
author_user. Optionally a
parent_userobject can also be passed in. Both the user objects must have
handleattributes. In the case that
parent_useris given, that user will be used to sign the payload and for Diaspora relayables an extra
parent_author_signaturein the payload itself.
Python library for abstracting social federation protocols