From bbd27656d2fa68fc6d096678cdaaa0dd171c111a Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 13 Oct 2020 10:47:10 +0100 Subject: [PATCH] Don't allow access to system actors --- daemon.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/daemon.py b/daemon.py index c5a81572..98377fd3 100644 --- a/daemon.py +++ b/daemon.py @@ -8288,6 +8288,11 @@ class PubServer(BaseHTTPRequestHandler): return False def do_GET(self): + # don't allow access to system actors + if self.path == '/users/news' or self.path == '/users/inbox': + self._400() + return + callingDomain = self.server.domainFull if self.headers.get('Host'): callingDomain = self.headers['Host']