Reject self-boosts

These are easily abused by spammers
2021-06-03 09:33:50 +01:00 · 2021-06-03 09:33:50 +01:00 · 613e6b8945
parent 042664e9f8
commit 613e6b8945
2 changed files with 8 additions and 0 deletions
--- a/announce.py
+++ b/announce.py
@ -32,6 +32,8 @@ def outboxAnnounce(recentPostsCache: {},
    """
    if not messageJson.get('actor'):
        return False
+    if not isinstance(messageJson['actor'], str):
+        return False
    if not messageJson.get('type'):
        return False
    if not messageJson.get('object'):
@ -39,6 +41,8 @@ def outboxAnnounce(recentPostsCache: {},
    if messageJson['type'] == 'Announce':
        if not isinstance(messageJson['object'], str):
            return False
+        if messageJson['actor'] in messageJson['object']:
+            return False
        nickname = getNicknameFromActor(messageJson['actor'])
        if not nickname:
            print('WARN: no nickname found in ' + messageJson['actor'])
--- a/inbox.py
+++ b/inbox.py
@ -1359,6 +1359,10 @@ def _receiveAnnounce(recentPostsCache: {},
                  '"users" or "profile" missing from actor in ' +
                  messageJson['type'])
        return False
+    if messageJson['actor'] in messageJson['object']:
+        if debug:
+            print('DEBUG: self-boost rejected')
+        return False
    if not hasUsersPath(messageJson['object']):
        if debug:
            print('DEBUG: ' +