From 84e4b1f5a5f9e6015425916dc3b4fbbe9057ead0 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Mon, 9 Sep 2019 10:54:26 +0100
Subject: [PATCH] Check that announces are from an identified account

---
 webinterface.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/webinterface.py b/webinterface.py
index 227c31e85..66a1d7ed2 100644
--- a/webinterface.py
+++ b/webinterface.py
@@ -1454,6 +1454,13 @@ def individualPostAsHtml(translate: {}, \
                     actorDomain,actorPort=getDomainFromActor(postJsonObject['actor'])
                     announcedJson = getJson(session,postJsonObject['object'],asHeader,None,projectVersion,httpPrefix,domain)
                     if announcedJson:
+                        if not announcedJson.get('id'):
+                            pprint(announcedJson)
+                            return ''
+                        if '/statuses/' not in announcedJson['id']:
+                            return ''
+                        if '/users/' not in announcedJson['id'] and '/profile/' not in announcedJson['id']:
+                            return ''
                         if not announcedJson.get('type'):
                             pprint(announcedJson)
                             return ''