Merge remote-tracking branch 'tootsuite/master' into glitchsoc/master

2018-01-08 04:17:11 +00:00
parent f7c4d4464b e4a241abef
commit 722b3f567f
6 changed files with 65 additions and 27 deletions
--- a/app/services/activitypub/process_account_service.rb
+++ b/app/services/activitypub/process_account_service.rb
@@ -6,7 +6,7 @@ class ActivityPub::ProcessAccountService < BaseService
  # Should be called with confirmed valid JSON
  # and WebFinger-resolved username and domain
  def call(username, domain, json)
-    return if json['inbox'].blank?
+    return if json['inbox'].blank? || unsupported_uri_scheme?(json['id'])

    @json        = json
    @uri         = @json['id']
@@ -107,7 +107,21 @@ class ActivityPub::ProcessAccountService < BaseService

  def url
    return if @json['url'].blank?
-    url_to_href(@json['url'], 'text/html')
+
+    url_candidate = url_to_href(@json['url'], 'text/html')
+
+    if unsupported_uri_scheme?(url_candidate) || mismatching_origin?(url_candidate)
+      nil
+    else
+      url_candidate
+    end
+  end
+
+  def mismatching_origin?(url)
+    needle   = Addressable::URI.parse(url).host
+    haystack = Addressable::URI.parse(@uri).host
+
+    !haystack.casecmp(needle).zero?
  end

  def outbox_total_items