From e2b782466de85616fbb192a2720954b214e55958 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Tue, 25 Dec 2018 22:05:47 -0700
Subject: [PATCH] Update helpers

---
 app/Util/ActivityPub/Helpers.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/app/Util/ActivityPub/Helpers.php b/app/Util/ActivityPub/Helpers.php
index b1cd2909e..8154a6ca6 100644
--- a/app/Util/ActivityPub/Helpers.php
+++ b/app/Util/ActivityPub/Helpers.php
@@ -210,6 +210,18 @@ class Helpers {
 				$activity = ['object' => $res];
 			}
 
+			$idDomain = parse_url($activity['id'], PHP_URL_HOST);
+			$urlDomain = parse_url($url, PHP_URL_HOST);
+			$actorDomain = parse_url($activity['object']['attributedTo'], PHP_URL_HOST);
+
+			if(
+				$idDomain !== $urlDomain || 
+				$actorDomain !== $urlDomain || 
+				$idDomain !== $actorDomain
+			) {
+				abort(400, 'Invalid object');
+			}
+
 			$profile = self::profileFirstOrNew($activity['object']['attributedTo']);
 			if(isset($activity['object']['inReplyTo']) && !empty($activity['object']['inReplyTo']) && $replyTo == true) {
 				$reply_to = self::statusFirstOrFetch($activity['object']['inReplyTo'], false);