bcc528b2e2
By mapping all extensions related to our custom privileged types back to innocuous text/plain, our custom types will never automatically be inserted which was one of the factors making impersonation possible. Note, this does not invalidate the upload and emoji Content-Type restrictions from previous commits. Apart from counterfeit AP objects there are other payloads with standard types this protects against, e.g. *.js Javascript payloads as used in prior frontend injections. |
||
---|---|---|
.. | ||
benchmark.exs | ||
config.exs | ||
custom_emoji.txt | ||
description.exs | ||
dev.exs | ||
docker.exs | ||
dokku.exs | ||
prod.exs | ||
test.exs |