From 2ee4b416a5972c71354424ec722d54699bcc0a4a Mon Sep 17 00:00:00 2001 From: Marnanel Thurman Date: Wed, 29 May 2019 10:22:00 +0100 Subject: [PATCH] Require incoming messages to be application/activity+json or application/json --- django_kepi/views.py | 10 +++++++++- tests/test_inbox.py | 23 ++++++++++++++++++----- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/django_kepi/views.py b/django_kepi/views.py index 0c380df..5de9601 100644 --- a/django_kepi/views.py +++ b/django_kepi/views.py @@ -284,7 +284,15 @@ class InboxView(django.views.View): def post(self, request, name=None, *args, **kwargs): - # username is None for the shared inbox. + # name is None for the shared inbox. + + if request.META['CONTENT_TYPE'] not in [ + 'application/activity+json', + 'application/json', + ]: + return HttpResponse( + status = 415, # unsupported media type + ) capture = django_kepi.validation.IncomingMessage( date = request.META['HTTP_DATE'], diff --git a/tests/test_inbox.py b/tests/test_inbox.py index 0ffd312..f873975 100644 --- a/tests/test_inbox.py +++ b/tests/test_inbox.py @@ -51,18 +51,31 @@ class TestInbox(TestCase): @httpretty.activate def test_shared_post(self): - self._post_to_inbox('/sharedInbox') + self._post_to_inbox(INBOX_PATH) - @skip("broken; find out why") def test_non_json(self): - IncomingMessage.objects.all().delete() + keys = json.load(open('tests/keys/keys-0001.json', 'r')) + + body, headers = test_message_body_and_headers( + f_actor = REMOTE_FRED, + secret = keys['private'], + ) + # we don't use the body it gives us c = Client() - - c.post('/sharedInbox', + result = c.post( + path = INBOX_PATH, content_type = 'text/plain', data = 'Hello', + HTTP_DATE = headers['date'], + HOST = headers['host'], + HTTP_SIGNATURE = headers['signature'], + ) + + self.assertEqual( + result.status_code, + 415, # unsupported media type ) self.assertFalse(