From be84d5075989a53034fd11c255ce8ca833124511 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Tue, 27 Aug 2019 13:49:53 +0100
Subject: [PATCH] Check that authorized path corresponds with the post being
 deleted

---
 daemon.py | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/daemon.py b/daemon.py
index 0e8d73fe..d9d9b2fd 100644
--- a/daemon.py
+++ b/daemon.py
@@ -2592,17 +2592,18 @@ class PubServer(BaseHTTPRequestHandler):
                     removeMessageId=removeMessageId.split('&')[0]
                 if '/statuses/' in removeMessageId:
                     removePostActor=removeMessageId.split('/statuses/')[0]
-                deleteJson= {
-                    "@context": "https://www.w3.org/ns/activitystreams",
-                    'actor': removePostActor,
-                    'object': removeMessageId,
-                    'to': ['https://www.w3.org/ns/activitystreams#Public',removePostActor],
-                    'cc': [removePostActor+'/followers'],
-                    'type': 'Delete'
-                }
-                if self.server.debug:
-                    pprint(deleteJson)
-                self._postToOutbox(deleteJson)                    
+                if originPathStr in removePostActor:
+                    deleteJson= {
+                        "@context": "https://www.w3.org/ns/activitystreams",
+                        'actor': removePostActor,
+                        'object': removeMessageId,
+                        'to': ['https://www.w3.org/ns/activitystreams#Public',removePostActor],
+                        'cc': [removePostActor+'/followers'],
+                        'type': 'Delete'
+                    }
+                    if self.server.debug:
+                        pprint(deleteJson)
+                    self._postToOutbox(deleteJson)                    
             self._redirect_headers(originPathStr+'/outbox',cookie)
             self.server.POSTbusy=False
             return