mirror of
https://github.com/LemmyNet/lemmy.git
synced 2024-10-01 01:36:12 -04:00
Merge pull request 'Dont allow localhost or raw IPs in activitypub IDs (ref #1221)' (#116) from disallow-localhost-urls into main
Reviewed-on: https://yerbamate.dev/LemmyNet/lemmy/pulls/116
This commit is contained in:
commit
de8d8542b4
@ -27,6 +27,7 @@ use lemmy_structs::blocking;
|
||||
use lemmy_utils::{location_info, settings::Settings, LemmyError};
|
||||
use lemmy_websocket::LemmyContext;
|
||||
use serde::Serialize;
|
||||
use std::net::IpAddr;
|
||||
use url::{ParseError, Url};
|
||||
|
||||
/// Activitystreams type for community
|
||||
@ -72,6 +73,12 @@ fn check_is_apub_id_valid(apub_id: &Url) -> Result<(), LemmyError> {
|
||||
};
|
||||
}
|
||||
|
||||
let host = apub_id.host_str().context(location_info!())?;
|
||||
let host_as_ip = host.parse::<IpAddr>();
|
||||
if host == "localhost" || host_as_ip.is_ok() {
|
||||
return Err(anyhow!("invalid hostname: {:?}", host).into());
|
||||
}
|
||||
|
||||
if apub_id.scheme() != Settings::get().get_protocol_string() {
|
||||
return Err(anyhow!("invalid apub id scheme: {:?}", apub_id.scheme()).into());
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user