From bbd27656d2fa68fc6d096678cdaaa0dd171c111a Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Tue, 13 Oct 2020 10:47:10 +0100
Subject: [PATCH] Don't allow access to system actors

---
 daemon.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/daemon.py b/daemon.py
index c5a81572..98377fd3 100644
--- a/daemon.py
+++ b/daemon.py
@@ -8288,6 +8288,11 @@ class PubServer(BaseHTTPRequestHandler):
         return False
 
     def do_GET(self):
+        # don't allow access to system actors
+        if self.path == '/users/news' or self.path == '/users/inbox':
+            self._400()
+            return
+
         callingDomain = self.server.domainFull
         if self.headers.get('Host'):
             callingDomain = self.headers['Host']