Don't allow access to system actors

2020-10-13 10:47:10 +01:00 · 2020-10-13 10:47:10 +01:00 · bbd27656d2
parent 3c8b6e0a9a
commit bbd27656d2
1 changed files with 5 additions and 0 deletions
--- a/daemon.py
+++ b/daemon.py
@ -8288,6 +8288,11 @@ class PubServer(BaseHTTPRequestHandler):
        return False

    def do_GET(self):
+        # don't allow access to system actors
+        if self.path == '/users/news' or self.path == '/users/inbox':
+            self._400()
+            return
+
        callingDomain = self.server.domainFull
        if self.headers.get('Host'):
            callingDomain = self.headers['Host']