From 1934b36ec1916fe9a7cca17eacc2f455e18b5802 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Sat, 17 Feb 2024 21:21:37 +0000
Subject: [PATCH] Use `urljoin` to safely join activitypub URL

---
 website/well_known/views.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/website/well_known/views.py b/website/well_known/views.py
index 040b720..923c7d3 100644
--- a/website/well_known/views.py
+++ b/website/well_known/views.py
@@ -1,4 +1,5 @@
 from datetime import timedelta
+from urllib.parse import urljoin
 
 from django.conf import settings
 from django.http.request import HttpRequest
@@ -56,10 +57,13 @@ def activitypub_proxy(request: HttpRequest) -> HttpResponse:
     if not settings.ACTIVITYPUB_HOST:
         raise Http404
 
+    activitypub_url = urljoin(
+        "https://" + settings.ACTIVITYPUB_HOST,
+        request.path,
+        allow_fragments=True,
+    )
+
     try:
-        return proxy_view(
-            request,
-            f"https://{settings.ACTIVITYPUB_HOST}{request.path}",
-        )
+        return proxy_view(request, activitypub_url)
     except RequestException:
         return HttpResponse(status_code=502)