Commit Graph

14821 Commits

Author SHA1 Message Date
Haelwenn (lanodan) Monnier bd7381f2f4 instance gen: Reduce permissions of pleroma directories and config files 2023-08-04 09:49:53 +02:00
Haelwenn (lanodan) Monnier 4befb3b1d0 Config: Restrict permissions of OTP config file 2023-08-04 09:49:53 +02:00
Mark Felder 18a0c923d0 Resolve information disclosure vulnerability through emoji pack archive download endpoint
The pack name has been sanitized so an attacker cannot upload a media
file called pack.json with their own handcrafted list of emoji files as
arbitrary files on the filesystem and then call the emoji pack archive
download endpoint with a pack name crafted to the location of the media
file they uploaded which tricks Pleroma into generating a zip file of
the target files the attacker wants to download.

The attack only works if the Pleroma instance does not have the
AnonymizeFilename upload filter enabled, which is currently the default.

Reported by: graf@poast.org
2023-08-04 08:39:55 +02:00
Haelwenn 2d193861db Merge branch 'release/2.5.2' into 'stable'
Security release 2.5.2

See merge request pleroma/pleroma!3863
2023-05-26 19:35:31 +00:00
Haelwenn (lanodan) Monnier 7618e562b3 Version 2.5.2 2023-05-26 19:57:00 +02:00
Mark Felder 4505bc1e58 Filter OEmbed HTML tags 2023-05-26 19:56:36 +02:00
tusooa d0c2e0830b Enforce unauth restrictions for public streaming endpoints 2023-05-26 19:24:08 +02:00
Haelwenn b36263e5ff Merge branch 'issue/3126' into 'develop'
MediaProxyController: Apply CSP sandbox

See merge request pleroma/pleroma!3890
2023-05-26 19:24:08 +02:00
Haelwenn 4339230f64 Merge branch 'tusooa/fix-object-test' into 'develop'
Fix ObjectTest

See merge request pleroma/pleroma!3887
2023-05-26 19:24:08 +02:00
Haelwenn 72833c84b5 Merge branch 'tusooa/rework-refetch' into 'develop'
Make sure object refetching follows update rules

See merge request pleroma/pleroma!3883
2023-05-26 19:24:08 +02:00
Haelwenn e4288df502 Merge branch 'background-timeout' into 'develop'
Set background worker timeout to 15 minutes

See merge request pleroma/pleroma!3857
2023-03-30 12:48:35 +02:00
tusooa ad38cc3b0c Merge branch 'docs-otp-support' into 'develop'
docs: Be more explicit about the level of compatibility of OTP releases

See merge request pleroma/pleroma!3849
2023-03-30 12:48:12 +02:00
tusooa 40f14fd31c Merge branch 'remove-crypt' into 'develop'
Remove crypt(3) support

Closes #3030 and #3062

See merge request pleroma/pleroma!3847
2023-03-30 12:47:36 +02:00
Haelwenn 937df7e465 Merge branch 'fix/tag-feed-crashes' into 'develop'
fix: atom/rss feed issues

Closes #3045

See merge request pleroma/pleroma!3851
2023-03-30 12:46:35 +02:00
Haelwenn d640df3927 Merge branch 'fix/static-fe-feed-500' into 'develop'
fix: remove static_fe pipeline for /users/:nickname/feed

See merge request pleroma/pleroma!3852
2023-03-30 12:45:39 +02:00
Haelwenn 22b72cd6b8 Merge branch 'tusooa/oban-common-pipeline' into 'develop'
Stop oban from retrying if validating errors occur when processing incoming data

See merge request pleroma/pleroma!3844
2023-03-30 12:43:58 +02:00
tusooa fd46f83d2d Merge branch 'release/2.5.1' into 'stable'
release: 2.5.1

See merge request pleroma/pleroma!3841
2023-03-02 00:50:02 +00:00
tusooa 938e238ea1
Add the security fix to the changelog 2023-03-01 18:44:29 -05:00
tusooa e4925f813a
Sanitize filenames when uploading 2023-03-01 18:40:02 -05:00
tusooa 5d34fe1868
Bundle frontend 2023-02-20 12:37:44 -05:00
tusooa 75b76a0666
Bump version in mix project to 2.5.1 2023-02-20 12:32:45 -05:00
tusooa db06e445f1
Compose changelog for 2.5.1 2023-02-20 12:32:18 -05:00
tusooa 410d50afe5
Ignores in exiftool read descriptions 2023-02-20 12:30:36 -05:00
Sean King c69ae5f7c7
Bump crypt to v1.0.1 2023-02-20 12:29:38 -05:00
lain bb9ed51da7
Update mix.exs 2023-02-20 12:28:52 -05:00
tusooa 002159fc1c
Bump linkify 2023-02-20 12:28:52 -05:00
tusooa f2ed05191c
Test double dot link 2023-02-20 12:28:42 -05:00
tusooa 0e89a9ad15
Test that zwnj is treated as word char in hashtags 2023-02-20 12:28:41 -05:00
Alexander Tumin c3a0703564
Require related object for notifications to filter on content 2023-02-20 12:27:50 -05:00
tusooa 8e8a0f005c
Fix inproper content being cached in report content 2023-02-20 12:26:16 -05:00
tusooa 772d99c582
Use versioned image from hexpm 2023-02-20 12:25:31 -05:00
tusooa 1c225bfd6e
Allow customizing instance languages 2023-02-20 12:25:00 -05:00
Mark Felder 1b82fd95d4
Remove unwanted code specific to MIX_ENV=test 2023-02-20 12:24:38 -05:00
Mark Felder 88ce0e8b24
Fix rel="me"
Cachex for this was not started
2023-02-20 12:24:32 -05:00
tusooa 3ab3404817
Fix block_from_stranger setting 2023-02-20 12:21:27 -05:00
Lain Soykaf d5125e6ce7
B StripLocation: Add test, work for all svgs. 2023-02-20 12:21:04 -05:00
Dmytro Poltavchenko e8fca8882a
Added SVG to formats not compatible with exiftool 2023-02-20 12:21:04 -05:00
tusooa 259905a893
Bump earmark to 1.4.22 2023-02-20 12:20:29 -05:00
Haelwenn f76c1d4f70 Merge branch 'release/2.5.0' into 'stable'
Release 2.5.0

See merge request pleroma/pleroma!3816
2022-12-23 17:43:21 +00:00
Haelwenn (lanodan) Monnier 91c22637de mix: Release 2.5.0 2022-12-23 17:10:02 +01:00
Haelwenn (lanodan) Monnier ee7694fa91 CHANGELOG: Set 2.5.0 2022-12-23 17:09:57 +01:00
Haelwenn (lanodan) Monnier 5ce7db455c Git merge is not my favorite tool 2022-12-23 17:07:26 +01:00
Haelwenn (lanodan) Monnier 3fbd42061c Revert "Delete report notifs when demoting from superuser"
This reverts commit 4504c81080.
2022-12-23 17:06:09 +01:00
Haelwenn (lanodan) Monnier 7d68d64d63 Merge back 2.4.5 2022-12-23 17:05:05 +01:00
Haelwenn 6bce88b9e7 Merge branch 'pleromafe-2.5.0' into 'develop'
Update PleromaFE bundle to 2.5.0

See merge request pleroma/pleroma!3815
2022-12-23 14:32:10 +00:00
Haelwenn (lanodan) Monnier 2c5bc9cffd Update PleromaFE bundle to 2.5.0 2022-12-23 15:01:49 +01:00
Haelwenn 99ff91584d Merge branch 'adminfe-2.5.0' into 'develop'
Update AdminFE bundle to version 2.5.0

See merge request pleroma/pleroma!3814
2022-12-23 13:48:35 +00:00
Haelwenn 718ff64c3b Merge branch 'fine_grained_moderation_privileges' into 'develop'
fine grained moderation privileges (continued)

See merge request pleroma/pleroma!3812
2022-12-23 13:48:07 +00:00
Sean King 90681c720d
Make lint happy 2022-12-21 23:40:39 -07:00
Sean King 351b5a9df4
Use crazy hack to finally get pleroma:report notifications not visible after revoking privileges 2022-12-21 23:35:39 -07:00