From 13d3159262e25e705e41d13b4e98ffce27a02c94 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 26 Dec 2022 11:25:51 +0000 Subject: [PATCH] Extra actor validation --- inbox.py | 10 +++++++--- outbox.py | 4 ++++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/inbox.py b/inbox.py index a01d73764..c077ed2cf 100644 --- a/inbox.py +++ b/inbox.py @@ -18,6 +18,7 @@ from languages import understood_post_language from like import update_likes_collection from reaction import update_reaction_collection from reaction import valid_emoji_content +from utils import contains_invalid_actor_url_chars from utils import is_quote_toot from utils import acct_handle_dir from utils import is_account_dir @@ -2756,14 +2757,17 @@ def _receive_announce(recent_posts_cache: {}, # so that their avatar can be shown lookup_actor = None if post_json_object.get('attributedTo'): - if isinstance(post_json_object['attributedTo'], str): - lookup_actor = post_json_object['attributedTo'] + attrib = post_json_object['attributedTo'] + if isinstance(attrib, str): + if not contains_invalid_actor_url_chars(attrib): + lookup_actor = attrib else: if has_object_dict(post_json_object): if post_json_object['object'].get('attributedTo'): attrib = post_json_object['object']['attributedTo'] if isinstance(attrib, str): - lookup_actor = attrib + if not contains_invalid_actor_url_chars(attrib): + lookup_actor = attrib if lookup_actor: if has_users_path(lookup_actor): if '/statuses/' in lookup_actor: diff --git a/outbox.py b/outbox.py index f603d450f..2a557db43 100644 --- a/outbox.py +++ b/outbox.py @@ -15,6 +15,7 @@ from posts import outbox_message_create_wrap from posts import save_post_to_box from posts import send_to_followers_thread from posts import send_to_named_addresses_thread +from utils import contains_invalid_actor_url_chars from utils import get_attachment_property_value from utils import get_account_timezone from utils import has_object_string_type @@ -321,6 +322,9 @@ def post_message_to_outbox(session, translate: {}, '.' not in message_json['actor']: return False + if contains_invalid_actor_url_chars(message_json['actor']): + return False + # sent by an actor on a local network address? if not allow_local_network_access: local_network_pattern_list = get_local_network_addresses()