Ignore badly formed ActivityPub object data (#406)

This commit is contained in:
Michael Manfre 2023-01-13 15:44:43 -05:00 committed by GitHub
parent cb66b9559d
commit 81fa9a6d34
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -737,9 +737,13 @@ class Post(StatorModel):
Raises DoesNotExist if it's not found and create is False,
or it's from a blocked domain.
"""
try:
# Ensure the domain of the object's actor and ID match to prevent injection
if urlparse(data["id"]).hostname != urlparse(data["attributedTo"]).hostname:
raise ValueError("Object's ID domain is different to its author")
except (TypeError, KeyError):
raise ValueError("Object data is not a recognizable ActivityPub object")
# Do we have one with the right ID?
created = False
try: