From b08e0a641578884aeac781ffb6cb3abcf9ba6f76 Mon Sep 17 00:00:00 2001 From: Felix Ableitner Date: Thu, 22 Oct 2020 18:12:43 +0200 Subject: [PATCH] Dont allow localhost or raw IPs in activitypub IDs (ref #1221) --- lemmy_apub/src/lib.rs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lemmy_apub/src/lib.rs b/lemmy_apub/src/lib.rs index c93d6477..07a4a397 100644 --- a/lemmy_apub/src/lib.rs +++ b/lemmy_apub/src/lib.rs @@ -27,6 +27,7 @@ use lemmy_structs::blocking; use lemmy_utils::{location_info, settings::Settings, LemmyError}; use lemmy_websocket::LemmyContext; use serde::Serialize; +use std::net::IpAddr; use url::{ParseError, Url}; /// Activitystreams type for community @@ -72,6 +73,12 @@ fn check_is_apub_id_valid(apub_id: &Url) -> Result<(), LemmyError> { }; } + let host = apub_id.host_str().context(location_info!())?; + let host_as_ip = host.parse::(); + if host == "localhost" || host_as_ip.is_ok() { + return Err(anyhow!("invalid hostname: {:?}", host).into()); + } + if apub_id.scheme() != Settings::get().get_protocol_string() { return Err(anyhow!("invalid apub id scheme: {:?}", apub_id.scheme()).into()); } -- 2.44.1