From: Felix Ableitner Date: Thu, 22 Oct 2020 16:12:43 +0000 (+0200) Subject: Dont allow localhost or raw IPs in activitypub IDs (ref #1221) X-Git-Url: http://these/git/%7B%24%7B%60data:application/%22%7Burl%7D/%7Bthis.state.url%7D?a=commitdiff_plain;h=b08e0a641578884aeac781ffb6cb3abcf9ba6f76;p=lemmy.git Dont allow localhost or raw IPs in activitypub IDs (ref #1221) --- diff --git a/lemmy_apub/src/lib.rs b/lemmy_apub/src/lib.rs index c93d6477..07a4a397 100644 --- a/lemmy_apub/src/lib.rs +++ b/lemmy_apub/src/lib.rs @@ -27,6 +27,7 @@ use lemmy_structs::blocking; use lemmy_utils::{location_info, settings::Settings, LemmyError}; use lemmy_websocket::LemmyContext; use serde::Serialize; +use std::net::IpAddr; use url::{ParseError, Url}; /// Activitystreams type for community @@ -72,6 +73,12 @@ fn check_is_apub_id_valid(apub_id: &Url) -> Result<(), LemmyError> { }; } + let host = apub_id.host_str().context(location_info!())?; + let host_as_ip = host.parse::(); + if host == "localhost" || host_as_ip.is_ok() { + return Err(anyhow!("invalid hostname: {:?}", host).into()); + } + if apub_id.scheme() != Settings::get().get_protocol_string() { return Err(anyhow!("invalid apub id scheme: {:?}", apub_id.scheme()).into()); }