From e2b782466de85616fbb192a2720954b214e55958 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Tue, 25 Dec 2018 22:05:47 -0700
Subject: [PATCH 1/2] Update helpers

---
 app/Util/ActivityPub/Helpers.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/app/Util/ActivityPub/Helpers.php b/app/Util/ActivityPub/Helpers.php
index b1cd2909e..8154a6ca6 100644
--- a/app/Util/ActivityPub/Helpers.php
+++ b/app/Util/ActivityPub/Helpers.php
@@ -210,6 +210,18 @@ class Helpers {
 				$activity = ['object' => $res];
 			}
 
+			$idDomain = parse_url($activity['id'], PHP_URL_HOST);
+			$urlDomain = parse_url($url, PHP_URL_HOST);
+			$actorDomain = parse_url($activity['object']['attributedTo'], PHP_URL_HOST);
+
+			if(
+				$idDomain !== $urlDomain || 
+				$actorDomain !== $urlDomain || 
+				$idDomain !== $actorDomain
+			) {
+				abort(400, 'Invalid object');
+			}
+
 			$profile = self::profileFirstOrNew($activity['object']['attributedTo']);
 			if(isset($activity['object']['inReplyTo']) && !empty($activity['object']['inReplyTo']) && $replyTo == true) {
 				$reply_to = self::statusFirstOrFetch($activity['object']['inReplyTo'], false);

From ee167f0f8c591826b673fc0cc16e38163b2eb5db Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Tue, 25 Dec 2018 22:06:06 -0700
Subject: [PATCH 2/2] Bump version to 0.7.4

---
 config/pixelfed.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/pixelfed.php b/config/pixelfed.php
index bb7d3daee..e954c6b64 100644
--- a/config/pixelfed.php
+++ b/config/pixelfed.php
@@ -23,7 +23,7 @@ return [
     | This value is the version of your PixelFed instance.
     |
     */
-    'version' => '0.7.3',
+    'version' => '0.7.4',
 
     /*
     |--------------------------------------------------------------------------