akkoma

History

Mark Felder 18a0c923d0 Resolve information disclosure vulnerability through emoji pack archive download endpoint The pack name has been sanitized so an attacker cannot upload a media file called pack.json with their own handcrafted list of emoji files as arbitrary files on the filesystem and then call the emoji pack archive download endpoint with a pack name crafted to the location of the media file they uploaded which tricks Pleroma into generating a zip file of the target files the attacker wants to download. The attack only works if the Pleroma instance does not have the AnonymizeFilename upload filter enabled, which is currently the default. Reported by: graf@poast.org		2023-08-04 08:39:55 +02:00
..
activity	Make local-only posts stream in local timeline	2022-11-27 04:39:32 +01:00
bbs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
chat	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
config	Remove Quack logging backend	2022-11-11 12:36:29 -05:00
conversation	fix flaky participation_test.exs	2022-08-25 18:36:46 +00:00
docs	Pass in msgctxt for config translation strings	2022-07-14 17:41:33 -04:00
ecto_type/activity_pub/object_validators	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
emails	Merge branch 'from/upstream-develop/tusooa/translate-pages' into 'develop'	2022-03-20 18:14:37 +00:00
emoji	Resolve information disclosure vulnerability through emoji pack archive download endpoint	2023-08-04 08:39:55 +02:00
gun	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
http	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
instances	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
integration	Merge branch 'release/2.4.4' into mergeback/2.4.4	2022-10-08 22:15:09 -04:00
mfa	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
migration_helper	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
object	Merge branch 'tusooa/rework-refetch' into 'develop'	2023-05-26 19:24:08 +02:00
password	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
repo/migrations	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
upload	Ignores in exiftool read descriptions	2023-02-20 12:30:36 -05:00
uploaders	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
user	Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into fine_grained_moderation_privileges	2022-12-18 22:03:48 -07:00
web	Filter OEmbed HTML tags	2023-05-26 19:56:36 +02:00
workers	Merge branch 'tusooa/oban-common-pipeline' into 'develop'	2023-03-30 12:43:58 +02:00
activity_test.exs	Skip two unicode/kanji tests that can't pass on Mac.	2022-11-27 03:12:34 +00:00
announcement_read_relationship_test.exs	Implement announcement read relationships	2022-03-08 13:09:49 -05:00
announcement_test.exs	Format announcements into html	2022-03-08 23:00:51 -05:00
application_requirements_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
bookmark_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
captcha_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
chat_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
config_db_test.exs	Remove Quack logging backend	2022-11-11 12:36:29 -05:00
config_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
conversation_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
emoji_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
filter_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
following_relationship_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
formatter_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
frontend_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
hashtag_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
healthcheck_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
html_test.exs	scrubbers: Scrub img class attribute	2022-11-27 04:04:17 +01:00
http_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
instances_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
job_queue_monitor_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
keys_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
list_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
marker_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
mfa_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
moderation_log_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
notification_test.exs	Require related object for notifications to filter on content	2023-02-20 12:27:50 -05:00
object_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
otp_version_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
pagination_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
registration_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
repo_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
report_note_test.exs	Fix long report notes giving errors on creation	2022-06-02 01:28:39 -04:00
resilience_test.exs	Resilience Test: Add notification check for killing likes.	2021-01-06 12:49:18 +01:00
reverse_proxy_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
runtime_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
safe_jsonb_set_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
scheduled_activity_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
signature_test.exs	fix resolution of GTS user keys	2022-11-27 04:54:18 +01:00
stats_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
upload_test.exs	Add object id to uploaded attachments	2022-06-08 11:05:48 -04:00
user_invite_token_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
user_relationship_test.exs	fix flaky test_user_relationship_test.exs:81	2022-08-24 15:24:07 +00:00
user_search_test.exs	User: search: exclude deactivated users from user search	2022-09-16 00:49:16 +03:00
user_test.exs	Revert "Delete report notifs when demoting from superuser"	2022-12-23 17:06:09 +01:00
utils_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00
xml_builder_test.exs	Copyright bump for 2022	2022-02-25 23:11:42 -07:00