Never automatically assign privileged content types
By mapping all extensions related to our custom privileged types back to innocuous text/plain, our custom types will never automatically be inserted which was one of the factors making impersonation possible. Note, this does not invalidate the upload and emoji Content-Type restrictions from previous commits. Apart from counterfeit AP objects there are other payloads with standard types this protects against, e.g. *.js Javascript payloads as used in prior frontend injections.
This commit is contained in:
parent
e88d0a2853
commit
bcc528b2e2
1 changed files with 18 additions and 1 deletions
|
@ -149,6 +149,19 @@ config :logger, :ex_syslogger,
|
||||||
format: "$metadata[$level] $message",
|
format: "$metadata[$level] $message",
|
||||||
metadata: [:request_id]
|
metadata: [:request_id]
|
||||||
|
|
||||||
|
# ———————————————————————————————————————————————————————————————
|
||||||
|
# W A R N I N G
|
||||||
|
# ———————————————————————————————————————————————————————————————
|
||||||
|
#
|
||||||
|
# Whenever adding a privileged new custom type for e.g.
|
||||||
|
# ActivityPub objects, ALWAYS map their extension back
|
||||||
|
# to "application/octet-stream".
|
||||||
|
# Else files served by us can automatically end up with
|
||||||
|
# those privileged types causing severe security hazards.
|
||||||
|
# (We need those mappings so Phoenix can assoiate its format
|
||||||
|
# (the "extension") to incoming requests of those MIME types)
|
||||||
|
#
|
||||||
|
# ———————————————————————————————————————————————————————————————
|
||||||
config :mime, :types, %{
|
config :mime, :types, %{
|
||||||
"application/xml" => ["xml"],
|
"application/xml" => ["xml"],
|
||||||
"application/xrd+xml" => ["xrd+xml"],
|
"application/xrd+xml" => ["xrd+xml"],
|
||||||
|
@ -158,9 +171,13 @@ config :mime, :types, %{
|
||||||
}
|
}
|
||||||
|
|
||||||
config :mime, :extensions, %{
|
config :mime, :extensions, %{
|
||||||
"activity+json" => "application/activity+json"
|
"xrd+xml" => "text/plain",
|
||||||
|
"jrd+json" => "text/plain",
|
||||||
|
"activity+json" => "text/plain"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# ———————————————————————————————————————————————————————————————
|
||||||
|
|
||||||
config :tesla, :adapter, {Tesla.Adapter.Finch, name: MyFinch}
|
config :tesla, :adapter, {Tesla.Adapter.Finch, name: MyFinch}
|
||||||
|
|
||||||
# Configures http settings, upstream proxy etc.
|
# Configures http settings, upstream proxy etc.
|
||||||
|
|
Loading…
Reference in a new issue