Blocked activity

Resolved

(@plord12)

I’m seeing a lot of these messages :

2025/05/09 15:17:59 [error] 1616#1616: *60057 FastCGI sent in stderr: "PHP message: Blocked activity from: https://mastodon.sdf.org/users/coderCyclist" while reading response header from upstream, client: 205.166.94.38, server: plord.co.uk, request: "POST /wp-json/activitypub/1.0/actors/0/inbox HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "plord.co.uk"

Tracing with a wordpress plugin this request was :

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
    "https://w3id.org/security/v1"
  ],
  "id": "https://mastodon.sdf.org/users/coderCyclist#delete",
  "type": "Delete",
  "actor": "https://mastodon.sdf.org/users/coderCyclist",
  "to": [
    "https://www.w3.org/ns/activitystreams#Public"
  ],
  "object": "https://mastodon.sdf.org/users/coderCyclist",
  "signature": {
    "type": "RsaSignature2017",
    "creator": "https://mastodon.sdf.org/users/coderCyclist#main-key",
    "created": "2025-05-09T14:17:01Z",
    "signatureValue": "KdpxJNcI7ZkZGMoC2TciGxKKdkPI3B5txUecotsxutaisRRop/0112h9lsUSJaqbV/Rj8F2teX5hPK2PnczEhg+FTR1igFMjU//cTwWuwrB1egHMIB9f/igc+SIHK/pQqhgXQ23LpciX34atRmBNCPJmxkz4QPZscR0us4NsWmlHYk+HedhmY5JUO252/RJLAcj9rnr/0iQZ+/hVVlcEDmGNoZdOyPLxCQ71sy/sY5daSbzTVz99b3KPJlW7G7bTYWaW4g0vHpLWxs52/21ArmScrxzk++OLrEpzzL3HrEoy6KkU6//dBA2QA9ivEbbqjnZsgmQbixlM8dWdRd50VQ=="
  }
}

The plugin currently returns 202, but since this message gets repeated I wonder if its better to return 200 to avoid repeats ?

Anyways, it would be great if there was more info in the logs about “Blocked activity”

Viewing 7 replies - 1 through 7 (of 7 total)

Plugin Author Matthias Pfefferle
(@pfefferle)

1 year ago
Hey @plord12

this message is not sent by the ActivityPub plugin, I searched the whole codebase and we do not even use the word “Blocked” anywhere! Maybe this is sent by your webserver or a different plugin?
- This reply was modified 1 year ago by Matthias Pfefferle.
Thread Starter plord12
(@plord12)

1 year ago
On my site I found in plugins/activitypub/includes/rest/class-inbox-controller.php :
```
	public function create_item( $request ) {
		$data     = $request->get_json_params();
		$activity = Activity::init_from_array( $data );
		$type     = \strtolower( $request->get_param( 'type' ) );

		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput
		if ( \wp_check_comment_disallowed_list( $activity->to_json( false ), '', '', '', $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_USER_AGENT'] ?? '' ) ) {
			Debug::write_log( 'Blocked activity from: ' . $activity->get_actor() );
		} else {
```
and in plugins/activitypub/includes/rest/class-actors-inbox-controller.php :
```
	public function create_item( $request ) {
		$user_id = $request->get_param( 'user_id' );
		$user    = Actors::get_by_various( $user_id );

		if ( \is_wp_error( $user ) ) {
			return $user;
		}

		$data     = $request->get_json_params();
		$activity = Activity::init_from_array( $data );
		$type     = $request->get_param( 'type' );
		$type     = \strtolower( $type );

		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput
		if ( \wp_check_comment_disallowed_list( $activity->to_json( false ), '', '', '', $_SERVER['REMOTE_ADDR'], $_SERVER['HTTP_USER_AGENT'] ?? '' ) ) {
			Debug::write_log( 'Blocked activity from: ' . $activity->get_actor() );
		} else {
```
I assumed the message came from one of these.
Plugin Author Matthias Pfefferle
(@pfefferle)

1 year ago
Ah, I am sorry we removed that debug info in the dev version, that’s why I haven’t found it!

That message means that something in that Activity is on your block list!
- This reply was modified 1 year ago by Matthias Pfefferle.
Plugin Author Matthias Pfefferle
(@pfefferle)

1 year ago
I am not sure why the remote server is retrying so often, 202 should be perfectly fine!
- This reply was modified 1 year ago by Matthias Pfefferle.
- This reply was modified 1 year ago by Matthias Pfefferle.
Thread Starter plord12
(@plord12)

1 year ago

Ah, I am sorry we removed that debug info in the dev version, that’s why I haven’t found it!

🙂

That message means that something in that Activity is on your block list!

In the discussion settings ? Yes, I did have a large set of words configured. I’ve just removed these and I’m no-longer getting the Blocked message :-).

I suppose I didn’t think comment config would apply to a delete request with no comment text.

I am not sure why the remote server is retrying so much, 202 should be perfectly fine and is what the spec describes as default!

Such requests are still coming in though, each user about once every 5mins, so although its no-longer blocked, there is still a little load.

Many thanks for your quick responses 🙂

Plugin Author Matthias Pfefferle
(@pfefferle)

1 year ago

Such requests are still coming in though, each user about once every 5mins, so although its no-longer blocked, there is still a little load.

Yes, this is indeed a problem of ActivityPub and how some platforms spam theses deletes (maybe to get sure that they will be processed properly). We already improved the code so that it bypasses all heavy processing like signature verification. Sadly we can’t do much more here 🙁

Thread Starter plord12
(@plord12)

1 year ago

Finally realised what was fooling me here … I had https://en-gb.ww.wp.xz.cn/plugins/blacklist-updater/ installed ! Doh.

Still, I wonder if checking activitypub messages against the block list in the discussion settings ought to be an activitypub config option.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Blocked activity’ is closed to new replies.