Merge branch 'glitch'

author: pluralcafe-docker <docker@plural.cafe> 2018-08-23 06:16:14 +0000
committer: pluralcafe-docker <docker@plural.cafe> 2018-08-23 06:16:14 +0000
commit: 0fa521de89168ef33423fc7306a33d4a1c3badf3 (patch)
tree: ce3663d75ca93ea2d32e10de532eb18a230cf6e0 /app/lib
parent: a4935a8e24dcfa865fb330693d8ec90beca1aa98 (diff)
parent: 8aa58e34bb2b62192a997ac7ea8919b22fc45f80 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/app/lib/ostatus/activity/creation.rb b/app/lib/ostatus/activity/creation.rb
index d3a303a0c..8f8c70052 100644
--- a/app/lib/ostatus/activity/creation.rb
+++ b/app/lib/ostatus/activity/creation.rb
@@ -7,7 +7,7 @@ class OStatus::Activity::Creation < OStatus::Activity::Base
       return [nil, false]
     end
 
-    return [nil, false] if @account.suspended?
+    return [nil, false] if @account.suspended? || invalid_origin?
 
     RedisLock.acquire(lock_options) do |lock|
       if lock.acquired?
@@ -204,6 +204,15 @@ class OStatus::Activity::Creation < OStatus::Activity::Base
     end
   end
 
+  def invalid_origin?
+    return false unless id.start_with?('http') # Legacy IDs cannot be checked
+
+    needle = Addressable::URI.parse(id).normalized_host
+
+    !(needle.casecmp(@account.domain).zero? ||
+      needle.casecmp(Addressable::URI.parse(@account.remote_url.presence || @account.uri).normalized_host).zero?)
+  end
+
   def lock_options
     { redis: Redis.current, key: "create:#{id}" }
   end
author	pluralcafe-docker <docker@plural.cafe>	2018-08-23 06:16:14 +0000
committer	pluralcafe-docker <docker@plural.cafe>	2018-08-23 06:16:14 +0000
commit	0fa521de89168ef33423fc7306a33d4a1c3badf3 (patch)
tree	ce3663d75ca93ea2d32e10de532eb18a230cf6e0 /app/lib
parent	a4935a8e24dcfa865fb330693d8ec90beca1aa98 (diff)
parent	8aa58e34bb2b62192a997ac7ea8919b22fc45f80 (diff)