Commit graph

45 commits

Author SHA1 Message Date
Mark Felder
18a0c923d0 Resolve information disclosure vulnerability through emoji pack archive download endpoint
The pack name has been sanitized so an attacker cannot upload a media
file called pack.json with their own handcrafted list of emoji files as
arbitrary files on the filesystem and then call the emoji pack archive
download endpoint with a pack name crafted to the location of the media
file they uploaded which tricks Pleroma into generating a zip file of
the target files the attacker wants to download.

The attack only works if the Pleroma instance does not have the
AnonymizeFilename upload filter enabled, which is currently the default.

Reported by: graf@poast.org
2023-08-04 08:39:55 +02:00
Hélène
7167de592e
Emoji: apply recommended tail call changes
Behavior matches previous code.

Co-authored-by: Tusooa Zhu <tusooa@kazv.moe>
2022-07-27 02:08:46 +02:00
Hélène
b99f5d6183
Emoji: split qualification variation into a module 2022-07-26 02:04:12 +02:00
Sean King
17aa3644be
Copyright bump for 2022 2022-02-25 23:11:42 -07:00
a1batross
31b9034a27 emoji/loader.ex: be more verbose about which emoji pack config is loading now
To avoid issue when one of the hundred JSON files is malformed and
administrator don't know which one
2021-12-17 14:15:44 +00:00
Haelwenn (lanodan) Monnier
a17910a6c6
CI: Bump lint stage to elixir-1.12
Elixir 1.12 changed formatting rules, this allows to avoid having to rollback to run `mix format`
2021-10-06 08:11:05 +02:00
Alex Gleason
51a9f97e87
Deprecate Pleroma.Web.base_url/0
Use Pleroma.Web.Endpoint.url/0 directly instead. Reduces compiler cycles.
2021-05-31 16:48:03 -05:00
Mark Felder
bf9cd4a0e2 Standardize the way we capture and use Mix.env() 2021-02-04 10:13:03 -06:00
Mark Felder
887db076b5 Load an emoji.txt specific to the test env 2021-02-03 16:40:59 -06:00
Haelwenn (lanodan) Monnier
c4439c630f
Bump Copyright to 2021
grep -rl '# Copyright © .* Pleroma' * | xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>;'
2021-01-13 07:49:50 +01:00
Roger Braun
48cd336a72 allow external emoji 2021-01-06 10:13:01 -06:00
lain
95a9bdfc37 Tests: Use NullCache for async tests.
Caching can't work in async tests, so for them it is mocked to a
null cache that is always empty. Synchronous tests are stubbed
with the real Cachex, which is emptied after every test.
2020-12-18 19:53:19 +01:00
lain
713612c377 Cachex: Make caching provider switchable at runtime.
Defaults to Cachex.
2020-12-18 17:44:46 +01:00
Maksim Pechnikov
e1d25bad0c fix tests 2020-11-16 21:45:37 +03:00
Maksim Pechnikov
1830b6aae5 added error messages for posix error code 2020-11-13 15:21:59 +03:00
Ekaterina Vaartis
8f00d90f91 Use Pleroma.HTTP instead of Tesla
Closes #2275

As discovered in the issue, captcha used Tesla.get instead of
Pleroma.HTTP. I've also grep'ed the repo and changed the other place
where this was used.
2020-11-01 12:05:39 +03:00
Mark Felder
8539e386c3 Add missing Copyright headers 2020-10-12 12:00:50 -05:00
Alexander Strizhakov
8c6ec4c111
pack routes change 2020-09-24 09:16:14 +03:00
Alexander Strizhakov
dbbc801667
pagination for remote emoji packs 2020-09-24 09:12:39 +03:00
Alexander Strizhakov
9b6d89ff8c
support for special chars in pack name 2020-09-24 09:12:37 +03:00
Maksim
489a107cf4 Apply 1 suggestion(s) to 1 file(s) 2020-09-13 11:54:15 +00:00
Maksim
b267b751d4 Apply 1 suggestion(s) to 1 file(s) 2020-08-25 05:38:25 +00:00
Maksim Pechnikov
14ec12ac95 added tests 2020-08-24 15:01:45 +03:00
Maksim Pechnikov
f5845ff033 upload emoji zip file 2020-08-22 10:42:02 +03:00
Mark Felder
d23804f191 Use the Pleroma.Config alias 2020-07-09 10:53:51 -05:00
Alexander Strizhakov
aae1af8cf1
fix for emoji pagination in pack show 2020-06-24 18:06:30 +03:00
Alexander Strizhakov
1a704e1f1e
fix for packs pagination 2020-06-20 10:56:28 +03:00
Alexander Strizhakov
3e3f9253e6
adding overall count for packs and files 2020-06-19 10:17:24 +03:00
Alexander Strizhakov
4975ed86bc
emoji pagination for pack show action 2020-06-18 18:50:03 +03:00
Alexander Strizhakov
3becdafd33
emoji packs pagination 2020-06-18 14:32:21 +03:00
Mark Felder
95f6240889 Fix minor spelling error 2020-05-27 14:34:37 -05:00
Egor Kislitsyn
8bde8dfec2
Cleanup Pleroma.Emoji.Pack 2020-05-18 19:43:23 +04:00
Egor Kislitsyn
6e4de715b3
Add OpenAPI spec for PleromaAPI.EmojiAPIController 2020-05-18 19:28:46 +04:00
Alexander Strizhakov
36abeedf9f
error rename 2020-04-30 16:09:22 +03:00
Alexander Strizhakov
ddb757f743
emoji api packs changes in routes with docs update 2020-04-30 16:09:18 +03:00
Alexander Strizhakov
342f55fb92
refactor emoji api with fixes 2020-04-30 15:45:52 +03:00
Haelwenn (lanodan) Monnier
9172d719cc
profile emojis in User.emoji instead of source_data 2020-04-10 06:20:02 +02:00
Mark Felder
05da5f5cca Update Copyrights 2020-03-03 16:44:49 -06:00
Ekaterina Vaartis
1fd9c60f87 Fix emoji tags for shareable packs to be "pack:{name}" 2019-09-25 12:34:03 +02:00
Maksim Pechnikov
1a858134ed Merge branch 'develop' into issue/1218 2019-09-25 12:24:12 +03:00
Maksim Pechnikov
6ef0103ca0 added Emoji struct 2019-08-31 10:14:53 +03:00
Maksim Pechnikov
d8098d142a added Emoji.Formatter 2019-08-30 22:04:17 +03:00
Maksim
5c90b70733 Apply suggestion to lib/pleroma/emoji/loader.ex 2019-08-30 07:30:54 +03:00
Maksim Pechnikov
d7808b5db4 added code\path fields without html tags in ets 2019-08-30 07:30:54 +03:00
Maksim Pechnikov
cef2e980b1 division emoji.ex on loader.ex and emoji.ex 2019-08-30 07:30:54 +03:00