diff options
author | Jenkins <jenkins@jenkins.ninjawedding.org> | 2018-01-08 04:17:11 +0000 |
---|---|---|
committer | Jenkins <jenkins@jenkins.ninjawedding.org> | 2018-01-08 04:17:11 +0000 |
commit | 722b3f567f18ae31b05f320441c73279b4f5ad11 (patch) | |
tree | 8e009982fa512566ce7172c8b4fe610be38d5c39 /app/lib | |
parent | f7c4d4464ba3b3729d707c54c4d2aa7515a9fe57 (diff) | |
parent | e4a241abefaa68492938c3fbb7e5e5401d12138e (diff) |
Merge remote-tracking branch 'tootsuite/master' into glitchsoc/master
Diffstat (limited to 'app/lib')
-rw-r--r-- | app/lib/activitypub/activity/create.rb | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/app/lib/activitypub/activity/create.rb b/app/lib/activitypub/activity/create.rb index 3a985c19b..64c429420 100644 --- a/app/lib/activitypub/activity/create.rb +++ b/app/lib/activitypub/activity/create.rb @@ -1,11 +1,11 @@ # frozen_string_literal: true class ActivityPub::Activity::Create < ActivityPub::Activity - SUPPORTED_TYPES = %w(Article Note).freeze - CONVERTED_TYPES = %w(Image Video).freeze + SUPPORTED_TYPES = %w(Note).freeze + CONVERTED_TYPES = %w(Image Video Article).freeze def perform - return if delete_arrived_first?(object_uri) || unsupported_object_type? + return if delete_arrived_first?(object_uri) || unsupported_object_type? || invalid_origin?(@object['id']) RedisLock.acquire(lock_options) do |lock| if lock.acquired? @@ -213,7 +213,14 @@ class ActivityPub::Activity::Create < ActivityPub::Activity def object_url return if @object['url'].blank? - url_to_href(@object['url'], 'text/html') + + url_candidate = url_to_href(@object['url'], 'text/html') + + if invalid_origin?(url_candidate) + nil + else + url_candidate + end end def content_language_map? @@ -245,6 +252,15 @@ class ActivityPub::Activity::Create < ActivityPub::Activity @skip_download ||= DomainBlock.find_by(domain: @account.domain)&.reject_media? end + def invalid_origin?(url) + return true if unsupported_uri_scheme?(url) + + needle = Addressable::URI.parse(url).host + haystack = Addressable::URI.parse(@account.uri).host + + !haystack.casecmp(needle).zero? + end + def reply_to_local? !replied_to_status.nil? && replied_to_status.account.local? end |