Merge branch 'fix/2087-metadata' into 'develop'
Fix/2087 metadata See merge request pleroma/secteam/pleroma!11
This commit is contained in:
parent
74d46a1b09
commit
13e606941c
11
CHANGELOG.md
11
CHANGELOG.md
|
@ -5,6 +5,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
|
|
||||||
## unreleased-patch - ???
|
## unreleased-patch - ???
|
||||||
|
|
||||||
|
### Security
|
||||||
|
- Fix metadata leak for accounts and statuses on private instances
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- **Breaking:** The metadata providers RelMe and Feed are no longer configurable. RelMe should always be activated and Feed only provides a <link> header tag for the actual RSS/Atom feed when the instance is public.
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Rich media failure tracking (along with `:failure_backoff` option)
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- Mastodon API: Search parameter `following` now correctly returns the followings rather than the followers
|
- Mastodon API: Search parameter `following` now correctly returns the followings rather than the followers
|
||||||
|
|
||||||
|
|
|
@ -453,9 +453,7 @@
|
||||||
config :pleroma, Pleroma.Web.Metadata,
|
config :pleroma, Pleroma.Web.Metadata,
|
||||||
providers: [
|
providers: [
|
||||||
Pleroma.Web.Metadata.Providers.OpenGraph,
|
Pleroma.Web.Metadata.Providers.OpenGraph,
|
||||||
Pleroma.Web.Metadata.Providers.TwitterCard,
|
Pleroma.Web.Metadata.Providers.TwitterCard
|
||||||
Pleroma.Web.Metadata.Providers.RelMe,
|
|
||||||
Pleroma.Web.Metadata.Providers.Feed
|
|
||||||
],
|
],
|
||||||
unfurl_nsfw: false
|
unfurl_nsfw: false
|
||||||
|
|
||||||
|
|
|
@ -352,8 +352,6 @@ config :pleroma, Pleroma.Web.MediaProxy.Invalidation.Http,
|
||||||
* `providers`: a list of metadata providers to enable. Providers available:
|
* `providers`: a list of metadata providers to enable. Providers available:
|
||||||
* `Pleroma.Web.Metadata.Providers.OpenGraph`
|
* `Pleroma.Web.Metadata.Providers.OpenGraph`
|
||||||
* `Pleroma.Web.Metadata.Providers.TwitterCard`
|
* `Pleroma.Web.Metadata.Providers.TwitterCard`
|
||||||
* `Pleroma.Web.Metadata.Providers.RelMe` - add links from user bio with rel=me into the `<header>` as `<link rel=me>`.
|
|
||||||
* `Pleroma.Web.Metadata.Providers.Feed` - add a link to a user's Atom feed into the `<header>` as `<link rel=alternate>`.
|
|
||||||
* `unfurl_nsfw`: If set to `true` nsfw attachments will be shown in previews.
|
* `unfurl_nsfw`: If set to `true` nsfw attachments will be shown in previews.
|
||||||
|
|
||||||
### :rich_media (consumer)
|
### :rich_media (consumer)
|
||||||
|
|
|
@ -9,7 +9,15 @@ defmodule Pleroma.Web.Feed.TagController do
|
||||||
alias Pleroma.Web.ActivityPub.ActivityPub
|
alias Pleroma.Web.ActivityPub.ActivityPub
|
||||||
alias Pleroma.Web.Feed.FeedView
|
alias Pleroma.Web.Feed.FeedView
|
||||||
|
|
||||||
def feed(conn, %{"tag" => raw_tag} = params) do
|
def feed(conn, params) do
|
||||||
|
unless Pleroma.Config.restrict_unauthenticated_access?(:activities, :local) do
|
||||||
|
render_feed(conn, params)
|
||||||
|
else
|
||||||
|
render_error(conn, :not_found, "Not found")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def render_feed(conn, %{"tag" => raw_tag} = params) do
|
||||||
{format, tag} = parse_tag(raw_tag)
|
{format, tag} = parse_tag(raw_tag)
|
||||||
|
|
||||||
activities =
|
activities =
|
||||||
|
|
|
@ -37,7 +37,15 @@ def feed_redirect(conn, %{"nickname" => nickname}) do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def feed(conn, %{"nickname" => nickname} = params) do
|
def feed(conn, params) do
|
||||||
|
unless Pleroma.Config.restrict_unauthenticated_access?(:profiles, :local) do
|
||||||
|
render_feed(conn, params)
|
||||||
|
else
|
||||||
|
errors(conn, {:error, :not_found})
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def render_feed(conn, %{"nickname" => nickname} = params) do
|
||||||
format = get_format(conn)
|
format = get_format(conn)
|
||||||
|
|
||||||
format =
|
format =
|
||||||
|
|
|
@ -7,8 +7,9 @@ defmodule Pleroma.Web.Metadata do
|
||||||
|
|
||||||
def build_tags(params) do
|
def build_tags(params) do
|
||||||
providers = [
|
providers = [
|
||||||
|
Pleroma.Web.Metadata.Providers.RelMe,
|
||||||
Pleroma.Web.Metadata.Providers.RestrictIndexing
|
Pleroma.Web.Metadata.Providers.RestrictIndexing
|
||||||
| Pleroma.Config.get([__MODULE__, :providers], [])
|
| activated_providers()
|
||||||
]
|
]
|
||||||
|
|
||||||
Enum.reduce(providers, "", fn parser, acc ->
|
Enum.reduce(providers, "", fn parser, acc ->
|
||||||
|
@ -42,4 +43,12 @@ def activity_nsfw?(%{data: %{"sensitive" => sensitive}}) do
|
||||||
def activity_nsfw?(_) do
|
def activity_nsfw?(_) do
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
defp activated_providers do
|
||||||
|
unless Pleroma.Config.restrict_unauthenticated_access?(:activities, :local) do
|
||||||
|
[Pleroma.Web.Metadata.Providers.Feed | Pleroma.Config.get([__MODULE__, :providers], [])]
|
||||||
|
else
|
||||||
|
[]
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -181,4 +181,17 @@ test "gets a feed (RSS)", %{conn: conn} do
|
||||||
'yeah #PleromaArt'
|
'yeah #PleromaArt'
|
||||||
]
|
]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe "private instance" do
|
||||||
|
setup do: clear_config([:instance, :public])
|
||||||
|
|
||||||
|
test "returns 404 for tags feed", %{conn: conn} do
|
||||||
|
Config.put([:instance, :public], false)
|
||||||
|
|
||||||
|
conn
|
||||||
|
|> put_req_header("accept", "application/rss+xml")
|
||||||
|
|> get(tag_feed_path(conn, :feed, "pleromaart"))
|
||||||
|
|> response(404)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -246,4 +246,20 @@ test "with non-html / non-json format, it returns error when user is not found",
|
||||||
assert response == ~S({"error":"Not found"})
|
assert response == ~S({"error":"Not found"})
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe "private instance" do
|
||||||
|
setup do: clear_config([:instance, :public])
|
||||||
|
|
||||||
|
test "returns 404 for user feed", %{conn: conn} do
|
||||||
|
Config.put([:instance, :public], false)
|
||||||
|
user = insert(:user)
|
||||||
|
|
||||||
|
{:ok, _} = CommonAPI.post(user, %{status: "test"})
|
||||||
|
|
||||||
|
assert conn
|
||||||
|
|> put_req_header("accept", "application/atom+xml")
|
||||||
|
|> get(user_feed_path(conn, :feed, user.nickname))
|
||||||
|
|> response(404)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -22,4 +22,13 @@ test "for local user" do
|
||||||
"<meta content=\"noindex, noarchive\" name=\"robots\">"
|
"<meta content=\"noindex, noarchive\" name=\"robots\">"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe "no metadata for private instances" do
|
||||||
|
test "for local user" do
|
||||||
|
clear_config([:instance, :public], false)
|
||||||
|
user = insert(:user, bio: "This is my secret fedi account bio")
|
||||||
|
|
||||||
|
assert "" = Pleroma.Web.Metadata.build_tags(%{user: user})
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue