From ebd2ec45b13293849dc8412626296e40c412e910 Mon Sep 17 00:00:00 2001
From: girlbossceo <june@girlboss.ceo>
Date: Wed, 13 Sep 2023 21:16:31 -0400
Subject: [PATCH] fix: Do not allow fetching cached remote users' profiles over
 federation (nyaaori)

Signed-off-by: girlbossceo <june@girlboss.ceo>
---
 src/api/server_server.rs | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/api/server_server.rs b/src/api/server_server.rs
index 5455d0dc..95231c9a 100644
--- a/src/api/server_server.rs
+++ b/src/api/server_server.rs
@@ -1909,6 +1909,13 @@ pub async fn get_profile_information_route(
         return Err(Error::bad_config("Federation is disabled."));
     }
 
+    if body.user_id.server_name() != services().globals.server_name() {
+        return Err(Error::BadRequest(
+            ErrorKind::NotFound,
+            "User does not belong to this server",
+        ));
+    }
+
     let mut displayname = None;
     let mut avatar_url = None;
     let mut blurhash = None;