From b08e0a641578884aeac781ffb6cb3abcf9ba6f76 Mon Sep 17 00:00:00 2001
From: Felix Ableitner <me@nutomic.com>
Date: Thu, 22 Oct 2020 18:12:43 +0200
Subject: [PATCH] Dont allow localhost or raw IPs in activitypub IDs (ref
 #1221)

---
 lemmy_apub/src/lib.rs | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lemmy_apub/src/lib.rs b/lemmy_apub/src/lib.rs
index c93d6477..07a4a397 100644
--- a/lemmy_apub/src/lib.rs
+++ b/lemmy_apub/src/lib.rs
@@ -27,6 +27,7 @@ use lemmy_structs::blocking;
 use lemmy_utils::{location_info, settings::Settings, LemmyError};
 use lemmy_websocket::LemmyContext;
 use serde::Serialize;
+use std::net::IpAddr;
 use url::{ParseError, Url};
 
 /// Activitystreams type for community
@@ -72,6 +73,12 @@ fn check_is_apub_id_valid(apub_id: &Url) -> Result<(), LemmyError> {
     };
   }
 
+  let host = apub_id.host_str().context(location_info!())?;
+  let host_as_ip = host.parse::<IpAddr>();
+  if host == "localhost" || host_as_ip.is_ok() {
+    return Err(anyhow!("invalid hostname: {:?}", host).into());
+  }
+
   if apub_id.scheme() != Settings::get().get_protocol_string() {
     return Err(anyhow!("invalid apub id scheme: {:?}", apub_id.scheme()).into());
   }
-- 
2.44.1