Prevent call/input-url from accessing file: uris

parent 31b72498
......@@ -363,9 +363,15 @@
'("Accept: application/activity+json"))))
(define inbox-url
(string->url (hash-ref actor-profile 'inbox)))
;; TODO: Racket is NOT SAFE here, allows file: uris :\
(post-pure-port inbox-url message
'("Content-Type: application/activity+json")))))
;; TODO: We really ought to write a safer library for
;; http clients, but this prevents file: stuff for now
(parameterize ([current-security-guard
(make-security-guard
(current-security-guard)
(lambda _ (error "No filesystem access for you"))
(const 'no-op))])
(post-pure-port inbox-url message
'("Content-Type: application/activity+json"))))))
(void))
;; Process an incoming message.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment