Merge pull request 'Dont allow localhost or raw IPs in activitypub IDs (ref #1221)' (#116) from disallow-localhost-urls into main

Reviewed-on: https://yerbamate.dev/LemmyNet/lemmy/pulls/116
This commit is contained in:
dessalines 2020-10-22 18:55:11 +00:00
commit de8d8542b4

View file

@ -27,6 +27,7 @@ use lemmy_structs::blocking;
use lemmy_utils::{location_info, settings::Settings, LemmyError};
use lemmy_websocket::LemmyContext;
use serde::Serialize;
use std::net::IpAddr;
use url::{ParseError, Url};
/// Activitystreams type for community
@ -72,6 +73,12 @@ fn check_is_apub_id_valid(apub_id: &Url) -> Result<(), LemmyError> {
};
}
let host = apub_id.host_str().context(location_info!())?;
let host_as_ip = host.parse::<IpAddr>();
if host == "localhost" || host_as_ip.is_ok() {
return Err(anyhow!("invalid hostname: {:?}", host).into());
}
if apub_id.scheme() != Settings::get().get_protocol_string() {
return Err(anyhow!("invalid apub id scheme: {:?}", apub_id.scheme()).into());
}