pleroma

Commit Graph

Author	SHA1	Message	Date
Haelwenn (lanodan) Monnier	69caedc591	instance gen: Reduce permissions of pleroma directories and config files	2023-08-04 09:50:28 +02:00
Haelwenn (lanodan) Monnier	8cc8100120	Config: Restrict permissions of OTP config file	2023-08-04 09:50:28 +02:00
Mark Felder	2c79509453	Resolve information disclosure vulnerability through emoji pack archive download endpoint The pack name has been sanitized so an attacker cannot upload a media file called pack.json with their own handcrafted list of emoji files as arbitrary files on the filesystem and then call the emoji pack archive download endpoint with a pack name crafted to the location of the media file they uploaded which tricks Pleroma into generating a zip file of the target files the attacker wants to download. The attack only works if the Pleroma instance does not have the AnonymizeFilename upload filter enabled, which is currently the default. Reported by: graf@poast.org	2023-08-04 08:40:27 +02:00
Haelwenn	819fccb7d1	Merge branch 'tusooa/3154-attachment-type-check' into 'develop' Restrict attachments to only uploaded files only Closes #3154 See merge request pleroma/pleroma!3923	2023-08-03 10:01:32 +00:00
Faried Nawaz	e5e76ec445	cleaner ecto query to handle restrict_unauthenticated for activities This fix is for this case: config :pleroma, :restrict_unauthenticated, activities: %{local: true, remote: true}	2023-07-28 18:45:59 +05:00
faried nawaz	dc4de79d43	status context: perform visibility check on activities around a status issue #2927	2023-07-28 18:45:59 +05:00
tusooa	ea4225a646	Restrict attachments to only uploaded files only	2023-07-18 18:39:59 -04:00
Haelwenn	93ad16cca0	Merge branch '2023-06-deps-update' into 'develop' 2023-06 deps update + de-override plug See merge request pleroma/pleroma!3911	2023-07-17 20:37:47 +00:00
tusooa	1459d64508	Make regex-to-string descriptor reusable	2023-07-07 07:09:35 -04:00
tusooa	ba3aa4f86d	Fix edge cases	2023-07-07 06:58:32 -04:00
tusooa	ef8a6c539a	Make EmojiPolicy aware of custom emoji reactions	2023-07-07 06:58:31 -04:00
tusooa	20d193c91d	Improve config examples for EmojiPolicy	2023-07-07 06:58:31 -04:00
tusooa	f50422c380	Move emoji_policy.ex to the right place	2023-07-07 06:58:31 -04:00
tusooa	7eb8abf7bb	EmojiPolicy: Implement delist	2023-07-07 06:58:31 -04:00
tusooa	80ce6482f6	EmojiPolicy: implement remove by shortcode	2023-07-07 06:58:31 -04:00
tusooa	28ff828caa	Add emoji policy to remove emojis matching certain urls https://git.pleroma.social/pleroma/pleroma/-/issues/2775	2023-07-07 06:58:22 -04:00
Haelwenn (lanodan) Monnier	3d79ceb23a	Deprecate audio scrobbling	2023-07-04 03:40:11 +02:00
Haelwenn	a31a4c522f	Merge branch 'tusooa/3131-handle-report-from-deactivated-user' into 'develop' Fix handling report from a deactivated user Closes #3131 See merge request pleroma/pleroma!3915	2023-07-02 21:27:15 +00:00
tusooa	6e4de2383f	Fix handling report from a deactivated user	2023-07-02 11:15:34 -04:00
tusooa	a1621839cc	Fix user fetch completely broken if featured collection is not in a supported form	2023-07-02 11:03:09 -04:00
tusooa	48e490cd58	Merge branch 'bugfix/full-revert-media-host-validation' into 'develop' Merge Revert "Merge branch 'validate-host' into 'develop'" Closes #3136 See merge request pleroma/pleroma!3909	2023-07-01 21:54:18 +00:00
Haelwenn	043a00991d	Merge branch 'instance-nodeinfo-metadata' into 'develop' instances: Store some metadata based on NodeInfo See merge request pleroma/pleroma!3853	2023-06-27 18:58:04 +00:00
Haelwenn	ae0ca49451	Merge branch 'tusooa/3119-bio-update' into 'develop' Show more informative errors when profile exceeds char limits Closes #3119 See merge request pleroma/pleroma!3886	2023-06-27 18:49:43 +00:00
Haelwenn	41f2ee69a8	Merge branch 'from/upstream-develop/tusooa/backup-status' into 'develop' Detail backup states Closes #3024 See merge request pleroma/pleroma!3809	2023-06-27 12:08:11 +00:00
Haelwenn (lanodan) Monnier	d7e049d5e8	router: Fix usage of globs warning: doing a prefix match with globs is deprecated, invalid segment "pleromapath". You can either replace by a single segment match: /foo/bar-:var Or by mixing single segment match with globs: /foo/bar-:var/rest	2023-06-27 10:42:10 +02:00
Haelwenn (lanodan) Monnier	3a67b8f287	endpoint: Use custom Multipart module for dynamic configuration	2023-06-27 10:41:25 +02:00
Haelwenn (lanodan) Monnier	dd9f8150fc	Merge Revert "Merge branch 'validate-host' into 'develop'" This reverts commit `d998a114e2`, reversing changes made to `da6b4003ac`.	2023-06-22 21:28:25 +02:00
Sean King	a5a354a36e	Prevent bypassing authorized fetch mode with a json file	2023-06-22 00:10:56 -05:00
lain	4e6ea7cc91	Merge branch 'tusooa/3054-banned-delete' into 'develop' Fix deleting banned users' statuses See merge request pleroma/pleroma!3889	2023-06-11 13:17:12 +00:00
Lain Soykaf	6611c6ce4e	B ForceMentionsInContent: Fix test, refactor.	2023-06-11 16:45:31 +04:00
Lain Soykaf	55dd8ef1c7	Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into pleroma-double_mentions	2023-06-11 16:31:20 +04:00
lain	16313af7eb	Merge branch 'fix/metadata-tags' into 'develop' static frontend: fix meta tags See merge request pleroma/pleroma!3885	2023-06-11 11:57:16 +00:00
lain	1f4618d64b	Merge branch 'cleanup/ostatus-user-upgrade' into 'develop' Cleanup OStatus-era user upgrades and ap_enabled indicator See merge request pleroma/pleroma!3880	2023-06-11 11:13:57 +00:00
feld	75900f21f0	Merge branch 'revert-mediaproxy-host-validation' into 'develop' Revert MediaProxy Host header validation See merge request pleroma/pleroma!3902	2023-06-11 11:10:51 +00:00
lain	1db29f734f	Merge branch 'fep-fffd-url' into 'develop' CommonFields: Use BareUri for :url Closes #3121 See merge request pleroma/pleroma!3884	2023-06-11 11:02:39 +00:00
Mark Felder	fadcd7f1a9	Revert MediaProxy Host header validation Something is going wrong here even though the tests are correct.	2023-06-07 09:19:22 -04:00
Lain Soykaf	cbc5b8cebd	B Preload: Make sure that the preloaded json is html safe	2023-06-02 17:03:21 +04:00
Haelwenn	d998a114e2	Merge branch 'validate-host' into 'develop' Validate Host header for MediaProxy and Uploads See merge request pleroma/pleroma!3896	2023-05-31 00:50:01 +00:00
Mark Felder	b3c3bd99c3	Switch from serving a 400 to a 302	2023-05-30 16:56:09 -04:00
Mark Felder	9caa0b0be1	Add OnlyMedia Upload Filter to simplify restricting uploads to audio, image, and video types	2023-05-29 15:49:04 -04:00
Mark Felder	da7394f33b	Fix unused assignment	2023-05-29 15:09:31 -04:00
Mark Felder	a60dd0d92d	Validate Host header matches expected value before allowing access to Uploads	2023-05-29 14:16:03 -04:00
Mark Felder	843fcca5b4	Validate Host header matches expected value before allowing access to MediaProxy	2023-05-29 13:59:51 -04:00
faried nawaz	8b390d27dc	twitter card: handle case where image has no alt text	2023-05-29 02:52:49 +05:00
faried nawaz	52368e6702	fix meta tag for twitter cards and image attachments The name of the tag should be twitter:image, not twitter:player. Also, add twitter:image:alt meta tags.	2023-05-29 02:52:49 +05:00
faried nawaz	b6b7de2010	add url to Metadata.build_tags call If static_fe is enabled, going to https://pleroma/notice/some-id results in <meta content="https://pleroma/users/someuser" property="og:url"> With this fix, it is <meta content="https://pleroma/notice/some-id" property="og:url"> Additionally, Pleroma.Web.Metadata.Providers.OpenGraph now generates meta tags for attachments in the post.	2023-05-29 02:52:41 +05:00
Haelwenn (lanodan) Monnier	869f0d24a6	Merge branch 'release/2.5.2' into mergeback/2.5.2	2023-05-26 23:47:50 +02:00
Mark Felder	4505bc1e58	Filter OEmbed HTML tags	2023-05-26 19:56:36 +02:00
Mark Felder	0d68804aa7	Filter OEmbed HTML tags	2023-05-26 19:54:24 +02:00
tusooa	d0c2e0830b	Enforce unauth restrictions for public streaming endpoints	2023-05-26 19:24:08 +02:00

1 2 3 4 5 ...

9037 Commits