Browse Source

Dont allow localhost or raw IPs in activitypub IDs (ref #1221)

disallow-localhost-urls
Felix Ableitner 4 months ago
parent
commit
b08e0a6415
1 changed files with 7 additions and 0 deletions
  1. +7
    -0
      lemmy_apub/src/lib.rs

+ 7
- 0
lemmy_apub/src/lib.rs View File

@ -27,6 +27,7 @@ use lemmy_structs::blocking;
use lemmy_utils::{location_info, settings::Settings, LemmyError};
use lemmy_websocket::LemmyContext;
use serde::Serialize;
use std::net::IpAddr;
use url::{ParseError, Url};
/// Activitystreams type for community
@ -72,6 +73,12 @@ fn check_is_apub_id_valid(apub_id: &Url) -> Result<(), LemmyError> {
};
}
let host = apub_id.host_str().context(location_info!())?;
let host_as_ip = host.parse::<IpAddr>();
if host == "localhost" || host_as_ip.is_ok() {
return Err(anyhow!("invalid hostname: {:?}", host).into());
}
if apub_id.scheme() != Settings::get().get_protocol_string() {
return Err(anyhow!("invalid apub id scheme: {:?}", apub_id.scheme()).into());
}


Loading…
Cancel
Save