Merge branch 'block_unauth' into 'master'

reject activities from instance not on relay-list

See merge request pleroma/relay!11
This commit is contained in:
kaniini 2019-05-13 18:39:05 +00:00
commit d890bdd6ed
1 changed files with 4 additions and 0 deletions

View File

@ -272,10 +272,14 @@ processors = {
async def inbox(request): async def inbox(request):
data = await request.json() data = await request.json()
instance = urlsplit(data['actor']).hostname
if 'actor' not in data or not request['validated']: if 'actor' not in data or not request['validated']:
raise aiohttp.web.HTTPUnauthorized(body='access denied', content_type='text/plain') raise aiohttp.web.HTTPUnauthorized(body='access denied', content_type='text/plain')
if data['type'] != 'Follow' and 'https://{}/inbox'.format(instance) not in DATABASE['relay-list']:
raise aiohttp.web.HTTPUnauthorized(body='access denied', content_type='text/plain')
actor = await fetch_actor(data["actor"]) actor = await fetch_actor(data["actor"])
actor_uri = 'https://{}/actor'.format(request.host) actor_uri = 'https://{}/actor'.format(request.host)