Commit graph

89 commits

Author SHA1 Message Date
Oneric
0ec62acb9d Always insert Dedupe upload filter
This actually was already intended before to eradict all future
path-traversal-style exploits and to fix issues with some
characters like akkoma#610 in 0b2ec0ccee. However, Dedupe and
AnonymizeFilename got mixed up. The latter only anonymises the name
in Content-Disposition headers GET parameters (with link_name),
_not_ the upload path.

Even without Dedupe, the upload path is prefixed by an UUID,
so it _should_ already be hard to guess for attackers. But now
we actually can be sure no path shenanigangs occur, uploads
reliably work and save some disk space.

While this makes the final path predictable, this prediction is
not exploitable. Insertion of a back-reference to the upload
itself requires pulling off a successfull preimage attack against
SHA-256, which is deemed infeasible for the foreseeable futures.

Dedupe was already included in the default list in config.exs
since 28cfb2c37a, but this will get overridde by whatever the
config generated by the "pleroma.instance gen" task chose.

Upload+delete tests running in parallel using Dedupe might be flaky, but
this was already true before and needs its own commit to fix eventually.
2024-03-18 22:33:10 -01:00
Oneric
fef773ca35 Drop media base_url default and recommend different domain
Same-domain setups enabled now at least two exploits,
so they ought to be discouraged and definitely not be the default.
2024-03-18 22:33:10 -01:00
FloatingGhost
0b2ec0ccee Enable AnonymizeFilenames on all uploads 2023-08-04 15:37:15 +01:00
ilja
6c396fcab4 Remove "default" image description
When no image description is filled in, Pleroma allowed fallbacks.
Those were (based on a setting) either the filename, or a fixed description.
Neither are good options for image descriptions imo, so here we remove this.

Note that there's two tests removed who supposedly tested something else.
But examining closer, they didn't seem to test what they claimed to test,
so I removed them rather than try to "fix" them.
2023-03-12 08:42:33 +01:00
floatingghost
07a48b9293 giant massive dep upgrade and dialyxir-found error emporium (#371)
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/371
2022-12-14 12:38:48 +00:00
floatingghost
2641dcdd15 Post editing (#202)
Rebased from #103

Co-authored-by: Tusooa Zhu <tusooa@kazv.moe>
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/202
2022-09-06 19:24:02 +00:00
Alex Gleason
f2134e605b
Merge remote-tracking branch 'pleroma/develop' into cycles-base-url 2021-05-31 16:49:46 -05:00
Alex Gleason
51a9f97e87
Deprecate Pleroma.Web.base_url/0
Use Pleroma.Web.Endpoint.url/0 directly instead. Reduces compiler cycles.
2021-05-31 16:48:03 -05:00
Alex Gleason
543e9402d6
Support blurhash 2021-05-14 09:07:16 -05:00
Alex Gleason
ab9eabdf20
Add SetMeta filter to store uploaded image sizes 2021-05-12 15:07:31 -05:00
feld
2926713fe5 Merge branch 'deprecate-public_endpoint' into 'develop'
Deprecate Uploaders.S3, :public_endpoint

See merge request pleroma/pleroma!3251
2021-01-20 22:48:48 +00:00
Mark Felder
f0ab60189e truncated_namespace should default to nil 2021-01-13 11:54:00 -06:00
Haelwenn (lanodan) Monnier
c4439c630f
Bump Copyright to 2021
grep -rl '# Copyright © .* Pleroma' * | xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>;'
2021-01-13 07:49:50 +01:00
Mark Felder
c35e6fb516 Provide a non-nil fallback for Upload.base_url/0 for tests using TestUploaderSuccess as the uploader 2021-01-12 16:34:24 -06:00
Mark Felder
12528edc34 Fix another ad-hoc construction of the upload base_url 2021-01-12 16:32:52 -06:00
feld
fa63f1b55b Apply 4 suggestion(s) to 2 file(s) 2021-01-10 01:34:54 +00:00
Mark Felder
e8bf060e6e Move construction of S3 base URL with optional namespace and bucket to Upload.base_url/0
Now we should have a correct base URL for S3 hosted objects throughout the codebase.
2021-01-08 17:32:42 -06:00
Mark Felder
530fb5b29e Avoid duplicate Config calls 2021-01-08 17:32:42 -06:00
Mark Felder
ad79983614 Fix URL generated for backup files, try to create a source of truth we can reuse throughout the codebase 2021-01-08 17:32:42 -06:00
Mark Felder
55562ca936 Merge branch 'develop' into feature/gen-magic 2020-09-10 16:05:22 -05:00
lain
aabc26a573 Pleroma.Upload: Set default upload name / description based on config. 2020-08-18 13:21:30 +02:00
lain
af7720237b Upload: Restrict description length 2020-07-06 11:08:13 +02:00
href
f124f68205 Switch from gen_magic to majic, use Majic.Plug, remove Pleroma.MIME 2020-06-16 15:27:27 +02:00
lain
cc0d462e91 Attachments: Have the mediaType on the root, too. 2020-05-21 15:08:56 +02:00
Egor Kislitsyn
6802dc28ba
Add OpenAPI spec for PleromaAPI.AccountController 2020-05-13 19:06:46 +04:00
Mark Felder
05da5f5cca Update Copyrights 2020-03-03 16:44:49 -06:00
Alexander Strizhakov
32d1e04817
ActivityPub actions & side-effects in transaction 2020-03-01 12:01:39 +03:00
Haelwenn (lanodan) Monnier
3c6fd0bb99
upload.ex: Remove deprecated configuration 2019-10-18 12:34:09 +02:00
feld
84fca14c3c Do not prepend /media/ when using base_url
This ensures admin has full control over the path where media resides.
2019-07-24 15:35:25 +00:00
Haelwenn (lanodan) Monnier
69a5074893
Remove H1 in @moduledoc 2019-05-06 04:53:12 +02:00
rinpatch
e2fe796c63 Add some tests 2019-03-14 22:02:48 +03:00
rinpatch
5a73cae2be WIP: Stop mangling filenames 2019-03-12 09:10:19 +03:00
rinpatch
4263edc9c9 Properly escape reserved URI charachters in upload urls 2019-03-05 18:09:23 +03:00
Haelwenn (lanodan) Monnier
106f4e7a0f
Credo fixes: parameter consistency 2019-02-09 14:59:20 +01:00
Mark Felder
0c08bd4181 Update Mogrify docs and warning for deprecated syntax to encourage
users to enable both strip and auto-orient
2019-02-03 16:39:42 +00:00
lambda
646bb87816 Merge branch 'fix/elixir-1-8-type-annotation' into 'develop'
Fix Elixir 1.8 type annotation issue

Closes #523

See merge request pleroma/pleroma!668
2019-01-15 08:51:59 +00:00
Haelwenn (lanodan) Monnier
9fcdca1bdc
Upload: Fix uploading with a : in the filename 2019-01-15 07:57:48 +01:00
Haelwenn (lanodan) Monnier
e3eb75bd23
Upload: Fix uploading with a ? in the filename 2019-01-15 07:40:39 +01:00
Maxim Filippov
e8eff9fe03 Fix Elixir 1.8 type annotation issue 2019-01-15 02:58:48 +02:00
Shadowfacts
42b7584068
URI escape file upload URLs 2019-01-14 11:31:44 -05:00
William Pitcock
980b5288ed update copyright years to 2019 2018-12-31 15:41:47 +00:00
William Pitcock
2791ce9a1f add license boilerplate to pleroma core 2018-12-23 20:56:42 +00:00
Maksim Pechnikov
e94c3442f4 updates 2018-12-10 13:27:37 +03:00
Maksim Pechnikov
074fa790ba fix compile warnings 2018-12-09 20:50:08 +03:00
href
65e7307d68
Upload: bring back base_url 2018-11-30 18:02:50 +01:00
href
5d92431350
Fix deprecation warnings 2018-11-30 18:02:50 +01:00
href
02d3dc6869
Uploads fun, part. 2 2018-11-30 18:02:37 +01:00
href
b19597f602
reverse proxy / uploads 2018-11-30 18:00:47 +01:00
rinpatch
0d229613df Fix lint error 2018-11-27 19:07:58 +03:00
rinpatch
7f20a3cf1f Add Theora detection to upload.ex 2018-11-27 17:51:02 +03:00