From f458916919375674124d120f2618c928479fe4cd Mon Sep 17 00:00:00 2001
From: Nyaaori <+@nyaaori.cat>
Date: Wed, 21 Dec 2022 17:46:01 +0100
Subject: [PATCH] fix: Do not allow fetching cached remote users' profiles over
 federation

---
 src/api/server_server.rs | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/api/server_server.rs b/src/api/server_server.rs
index 72f6cae7..7f14c4a7 100644
--- a/src/api/server_server.rs
+++ b/src/api/server_server.rs
@@ -1716,6 +1716,13 @@ pub async fn get_profile_information_route(
         return Err(Error::bad_config("Federation is disabled."));
     }
 
+    if body.user_id.server_name() != services().globals.server_name() {
+        return Err(Error::BadRequest(
+            ErrorKind::NotFound,
+            "User does not belong to this server",
+        ));
+    }
+
     let mut displayname = None;
     let mut avatar_url = None;
     let mut blurhash = None;