Dont allow localhost or raw IPs in activitypub IDs (ref #1221)

author Felix Ableitner <me@nutomic.com>

Thu, 22 Oct 2020 16:12:43 +0000 (18:12 +0200)

committer Felix Ableitner <me@nutomic.com>

Thu, 22 Oct 2020 16:12:43 +0000 (18:12 +0200)
author Felix Ableitner <me@nutomic.com>
Thu, 22 Oct 2020 16:12:43 +0000 (18:12 +0200)
committer Felix Ableitner <me@nutomic.com>
Thu, 22 Oct 2020 16:12:43 +0000 (18:12 +0200)
diff --git a/lemmy_apub/src/lib.rs b/lemmy_apub/src/lib.rs

index c93d6477c3cecd3e38c2bedff462546795066760..07a4a397c625f1bc9efea23c79971970e7558110 100644 (file)
--- a/lemmy_apub/src/lib.rs
+++ b/lemmy_apub/src/lib.rs
@@ -27,6 +27,7 @@ use lemmy_structs::blocking;
  use lemmy_utils::{location_info, settings::Settings, LemmyError};
  use lemmy_websocket::LemmyContext;
  use serde::Serialize;
+use std::net::IpAddr;
  use url::{ParseError, Url};
  
  /// Activitystreams type for community
@@ -72,6 +73,12 @@ fn check_is_apub_id_valid(apub_id: &Url) -> Result<(), LemmyError> {
      };
    }
  
+  let host = apub_id.host_str().context(location_info!())?;
+  let host_as_ip = host.parse::<IpAddr>();
+  if host == "localhost" || host_as_ip.is_ok() {
+    return Err(anyhow!("invalid hostname: {:?}", host).into());
+  }
+
    if apub_id.scheme() != Settings::get().get_protocol_string() {
      return Err(anyhow!("invalid apub id scheme: {:?}", apub_id.scheme()).into());
    }
author	Felix Ableitner <me@nutomic.com>
	Thu, 22 Oct 2020 16:12:43 +0000 (18:12 +0200)
committer	Felix Ableitner <me@nutomic.com>
	Thu, 22 Oct 2020 16:12:43 +0000 (18:12 +0200)