From d52610a9fe26fa7e4ee2aa1f0603bab8b7593698 Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 5 Feb 2026 17:08:21 +1030 Subject: [PATCH 1/2] fix --- app/Federation/Validators/CreateValidator.php | 2 +- app/Services/SanitizeService.php | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/app/Federation/Validators/CreateValidator.php b/app/Federation/Validators/CreateValidator.php index c9befd2ca..35d5bcc63 100644 --- a/app/Federation/Validators/CreateValidator.php +++ b/app/Federation/Validators/CreateValidator.php @@ -40,7 +40,7 @@ public function validate(array $activity): void $object = $activity['object']; - if (app(SanitizeService::class)->isLocalObject($object['id'])) { + if ($this->isLocalObject($object['id'])) { throw new \Exception('Invalid create activity origin.'); } diff --git a/app/Services/SanitizeService.php b/app/Services/SanitizeService.php index dec616ad2..137650c08 100644 --- a/app/Services/SanitizeService.php +++ b/app/Services/SanitizeService.php @@ -219,11 +219,16 @@ public function isLocalObject($url): bool return false; } + $parsed = parse_url($url); + if (! $parsed || ! isset($parsed['scheme']) || $parsed['scheme'] !== 'https') { + return false; + } + $app = parse_url(config('app.url')); $appHost = strtolower(data_get($app, 'host')); - $urlHost = parse_url($url, PHP_URL_HOST); + $urlHost = strtolower(data_get($parsed, 'host')); - return $appHost === strtolower($urlHost); + return $appHost === $urlHost; } /** From 68136f4915afb7905639012726ad9e270e584b4d Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 5 Feb 2026 17:20:22 +1030 Subject: [PATCH 2/2] fix --- app/Federation/Validators/CreateValidator.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Federation/Validators/CreateValidator.php b/app/Federation/Validators/CreateValidator.php index 35d5bcc63..c9befd2ca 100644 --- a/app/Federation/Validators/CreateValidator.php +++ b/app/Federation/Validators/CreateValidator.php @@ -40,7 +40,7 @@ public function validate(array $activity): void $object = $activity['object']; - if ($this->isLocalObject($object['id'])) { + if (app(SanitizeService::class)->isLocalObject($object['id'])) { throw new \Exception('Invalid create activity origin.'); }