From 1065c5ff36004005aac8bc661ea3a33831ccbb6d Mon Sep 17 00:00:00 2001 From: Izalia Mae Date: Wed, 8 May 2019 02:54:57 -0400 Subject: [PATCH] reject activities from instance not on relay-list --- relay/actor.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/relay/actor.py b/relay/actor.py index ad09ecb..bbc8ac8 100644 --- a/relay/actor.py +++ b/relay/actor.py @@ -272,10 +272,14 @@ processors = { async def inbox(request): data = await request.json() + instance = urlsplit(data['actor']).hostname if 'actor' not in data or not request['validated']: raise aiohttp.web.HTTPUnauthorized(body='access denied', content_type='text/plain') + if data['type'] != 'Follow' and 'https://{}/inbox'.format(instance) not in DATABASE['relay-list']: + raise aiohttp.web.HTTPUnauthorized(body='access denied', content_type='text/plain') + actor = await fetch_actor(data["actor"]) actor_uri = 'https://{}/actor'.format(request.host)