Commit graph

8902 commits

Author SHA1 Message Date
Mint
535a5ecad0 CommonAPI: Prevent users from accessing media of other users
commit 1afde067b1 upstream.
2023-09-03 11:19:13 +02:00
Mae
fc10e07ffb Prevent XML parser from loading external entities 2023-08-05 08:23:04 +02:00
Haelwenn (lanodan) Monnier
bd7381f2f4 instance gen: Reduce permissions of pleroma directories and config files 2023-08-04 09:49:53 +02:00
Haelwenn (lanodan) Monnier
4befb3b1d0 Config: Restrict permissions of OTP config file 2023-08-04 09:49:53 +02:00
Mark Felder
18a0c923d0 Resolve information disclosure vulnerability through emoji pack archive download endpoint
The pack name has been sanitized so an attacker cannot upload a media
file called pack.json with their own handcrafted list of emoji files as
arbitrary files on the filesystem and then call the emoji pack archive
download endpoint with a pack name crafted to the location of the media
file they uploaded which tricks Pleroma into generating a zip file of
the target files the attacker wants to download.

The attack only works if the Pleroma instance does not have the
AnonymizeFilename upload filter enabled, which is currently the default.

Reported by: graf@poast.org
2023-08-04 08:39:55 +02:00
Mark Felder
4505bc1e58 Filter OEmbed HTML tags 2023-05-26 19:56:36 +02:00
tusooa
d0c2e0830b Enforce unauth restrictions for public streaming endpoints 2023-05-26 19:24:08 +02:00
Haelwenn
b36263e5ff Merge branch 'issue/3126' into 'develop'
MediaProxyController: Apply CSP sandbox

See merge request pleroma/pleroma!3890
2023-05-26 19:24:08 +02:00
Haelwenn
4339230f64 Merge branch 'tusooa/fix-object-test' into 'develop'
Fix ObjectTest

See merge request pleroma/pleroma!3887
2023-05-26 19:24:08 +02:00
Haelwenn
72833c84b5 Merge branch 'tusooa/rework-refetch' into 'develop'
Make sure object refetching follows update rules

See merge request pleroma/pleroma!3883
2023-05-26 19:24:08 +02:00
Haelwenn
e4288df502 Merge branch 'background-timeout' into 'develop'
Set background worker timeout to 15 minutes

See merge request pleroma/pleroma!3857
2023-03-30 12:48:35 +02:00
tusooa
40f14fd31c Merge branch 'remove-crypt' into 'develop'
Remove crypt(3) support

Closes #3030 and #3062

See merge request pleroma/pleroma!3847
2023-03-30 12:47:36 +02:00
Haelwenn
937df7e465 Merge branch 'fix/tag-feed-crashes' into 'develop'
fix: atom/rss feed issues

Closes #3045

See merge request pleroma/pleroma!3851
2023-03-30 12:46:35 +02:00
Haelwenn
d640df3927 Merge branch 'fix/static-fe-feed-500' into 'develop'
fix: remove static_fe pipeline for /users/:nickname/feed

See merge request pleroma/pleroma!3852
2023-03-30 12:45:39 +02:00
Haelwenn
22b72cd6b8 Merge branch 'tusooa/oban-common-pipeline' into 'develop'
Stop oban from retrying if validating errors occur when processing incoming data

See merge request pleroma/pleroma!3844
2023-03-30 12:43:58 +02:00
tusooa
e4925f813a
Sanitize filenames when uploading 2023-03-01 18:40:02 -05:00
tusooa
410d50afe5
Ignores in exiftool read descriptions 2023-02-20 12:30:36 -05:00
Alexander Tumin
c3a0703564
Require related object for notifications to filter on content 2023-02-20 12:27:50 -05:00
tusooa
8e8a0f005c
Fix inproper content being cached in report content 2023-02-20 12:26:16 -05:00
tusooa
1c225bfd6e
Allow customizing instance languages 2023-02-20 12:25:00 -05:00
Mark Felder
1b82fd95d4
Remove unwanted code specific to MIX_ENV=test 2023-02-20 12:24:38 -05:00
Mark Felder
88ce0e8b24
Fix rel="me"
Cachex for this was not started
2023-02-20 12:24:32 -05:00
tusooa
3ab3404817
Fix block_from_stranger setting 2023-02-20 12:21:27 -05:00
Lain Soykaf
d5125e6ce7
B StripLocation: Add test, work for all svgs. 2023-02-20 12:21:04 -05:00
Dmytro Poltavchenko
e8fca8882a
Added SVG to formats not compatible with exiftool 2023-02-20 12:21:04 -05:00
Haelwenn (lanodan) Monnier
3fbd42061c Revert "Delete report notifs when demoting from superuser"
This reverts commit 4504c81080.
2022-12-23 17:06:09 +01:00
Haelwenn (lanodan) Monnier
7d68d64d63 Merge back 2.4.5 2022-12-23 17:05:05 +01:00
Sean King
90681c720d
Make lint happy 2022-12-21 23:40:39 -07:00
Sean King
351b5a9df4
Use crazy hack to finally get pleroma:report notifications not visible after revoking privileges 2022-12-21 23:35:39 -07:00
Sean King
d5d4c7c11d Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into fine_grained_moderation_privileges 2022-12-19 18:48:26 -07:00
lain
c6dff687c0 Merge branch 'from/upstream/develop/tusooa/mrf-updates' into 'develop'
MRFs with Updates

See merge request pleroma/pleroma!3808
2022-12-20 00:51:41 +00:00
Sean King
1d95012758 Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into fine_grained_moderation_privileges 2022-12-19 17:48:11 -07:00
lain
3dfa009ec3 Merge branch 'develop' into 'fix/2980-rss-feed-generation'
# Conflicts:
#   CHANGELOG.md
2022-12-19 23:43:23 +00:00
Mark Felder
72d4d1b392 Fix TwitterCard meta tags
TwitterCard meta tags are supposed to use the attributes "name" and "content".
OpenGraph tags use the attributes "property" and "content".

Twitter itself is smart enough to detect broken meta tags and discover the TwitterCard
using "property" and "content", but other platforms that only implement parsing of TwitterCards
and not OpenGraph may fail to correctly detect the tags as they're under the wrong attributes.

> "Open Graph protocol also specifies the use of property and content attributes for markup while
> Twitter cards use name and content. Twitter’s parser will fall back to using property and content,
> so there is no need to modify existing Open Graph protocol markup if it already exists." [0]

[0] https://developer.twitter.com/en/docs/twitter-for-websites/cards/guides/getting-started
2022-12-19 17:23:12 -05:00
Sean King
c58eb873dd
Fix CommonAPI delete function to use User.privileged? instead of User.superuser? 2022-12-18 22:05:07 -07:00
Sean King
60df2d8a97
Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into fine_grained_moderation_privileges 2022-12-18 22:03:48 -07:00
faried nawaz
0f67eab384
remove pub_date() -- use to_rfc2822 instead
_tag_activity.xml.eex used activity_content() instead
of activity_description(), and did not escape html properly.
2022-12-19 01:44:46 +05:00
faried nawaz
3f63caee2a
fix: add xmlns:thr for in-reply-to refs 2022-12-19 01:44:46 +05:00
faried nawaz
8d500977a6
fix: feed item title was escaped twice 2022-12-19 01:44:46 +05:00
Mark Felder
f3253c0c6a
Implement RFC2822 timestamp formatting 2022-12-19 01:44:46 +05:00
faried nawaz
3f0783c0a5
fix atom and rss feeds for users and tags
Changes:
  - make the XML closer to spec (RSS does not pass w3c's validator, but works)
  - fix dates (RFC3339 for Atom, doc says RFC822 for RSS but RFC1123 is closer)
  - fix attachment/enclosure links (but see below)
  - set feed item title to post's "summary" if present
  - pruned several elements that validators did not like
    - examples: ap_enabled, user banner urls.

Specs:
  - https://www.rssboard.org/rss-specification
  - https://validator.w3.org/feed/docs/atom.html
  - https://www.intertwingly.net/wiki/pie/Rss20AndAtom10Compared

Validators:
  - https://validator.w3.org/feed/
  - https://rssatom.com/feedvalidator.php

Attachment/enclosure links should have a "length" field (mandatory
according to the spec).  This is not present in the object's data
map.
2022-12-19 01:44:41 +05:00
tusooa
a3985aac91 Merge branch 'fix-2856' into 'develop'
Uploading an avatar media exceeding max size returns a 413

Closes #2856

See merge request pleroma/pleroma!3804
2022-12-16 16:15:36 +00:00
lain
301eb86b35 Merge branch 'update-deps' into 'develop'
Update to Phoenix 1.6, Elixir 1.11, and chase dependencies

See merge request pleroma/pleroma!3766
2022-12-16 00:36:59 +00:00
Lain Soykaf
bb27e4134b AudioVideoValidator: Fix embedded attachment requirements 2022-12-15 18:06:28 -05:00
Lain Soykaf
4a32b584e1 StatusView: Fix warning 2022-12-15 18:02:33 -05:00
Lain Soykaf
9838790a7d AttachmentValidator: Actually require url 2022-12-15 17:46:20 -05:00
Lain Soykaf
63d00f8123 Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into update-deps 2022-12-15 17:19:36 -05:00
tusooa
2554028097
Make SimplePolicy Update-aware
This is inspired by d5828f1c5e
2022-12-15 11:57:45 -05:00
tusooa
dc7efcd08b
Make TagPolicy Update-aware
This is inspired by d5828f1c5e
2022-12-15 11:08:24 -05:00
tusooa
62c27e0164
Fix failure when registering a user with no email when approval required 2022-12-14 01:04:42 -05:00