Cap remote recipient fetches per incoming activity

[pfefferle]

Summary

• Limits the number of outbound HTTP requests triggered by remote recipient URLs in to/cc/bcc fields of incoming activities.
• Defaults to 5 remote fetches per activity, filterable via activitypub_max_remote_recipient_fetches.
• Prevents abuse where a crafted activity with many remote recipients could trigger unlimited outbound requests from the server.

Test plan

• Send an activity with fewer than 5 remote recipients in to/cc/bcc — all should be resolved as before.
• Send an activity with more than 5 remote recipients — only the first 5 should trigger outbound fetches, the rest should be skipped.
• Verify local (same-domain) recipients are unaffected by the cap.

[Copilot]

Pull request overview

This PR mitigates abuse of the shared inbox endpoint by limiting how many outbound HTTP fetches can be triggered from remote recipient URLs embedded in incoming ActivityPub activities.

Changes:

• Add a per-activity cap (default: 5) on remote recipient lookups, filterable via activitypub_max_remote_recipient_fetches.
• Skip additional remote recipient fetches once the cap is reached while continuing to process same-domain recipients.
• Add a patch-level changelog entry documenting the fix.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
includes/rest/class-inbox-controller.php	Adds the remote-recipient fetch cap (and introduces a new filter) inside get_local_recipients().
.github/changelog/fix-cap-remote-recipient-fetches	Documents the change as a patch “fixed” item.