moon
/
honkoma
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
honkoma/lib/pleroma
History
Mark Felder 2c79509453 Resolve information disclosure vulnerability through emoji pack archive download endpoint 
The pack name has been sanitized so an attacker cannot upload a media
file called pack.json with their own handcrafted list of emoji files as
arbitrary files on the filesystem and then call the emoji pack archive
download endpoint with a pack name crafted to the location of the media
file they uploaded which tricks Pleroma into generating a zip file of
the target files the attacker wants to download.

The attack only works if the Pleroma instance does not have the
AnonymizeFilename upload filter enabled, which is currently the default.

Reported by: graf@poast.org
 		2023-08-04 08:40:27 +02:00
..
activity Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
captcha Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
chat Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
config Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
conversation Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
docs Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
ecto_type EctoType: Add BareUri 2023-05-17 17:14:38 +02:00
emails Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
emoji Resolve information disclosure vulnerability through emoji pack archive download endpoint 2023-08-04 08:40:27 +02:00
gopher Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
gun Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
helpers Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
http Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
instances instances: Store some metadata based on NodeInfo 2023-03-16 09:02:20 +01:00
mfa Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
migration_helper Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
migrators Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
object Merge branch 'tusooa/fix-object-test' into 'develop' 2023-05-26 19:24:08 +02:00
password Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
reverse_proxy Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
telemetry Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
tesla/middleware Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
tests Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
upload Add OnlyMedia Upload Filter to simplify restricting uploads to audio, image, and video types 2023-05-29 15:49:04 -04:00
uploaders Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
user Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
web Merge branch 'tusooa/3154-attachment-type-check' into 'develop' 2023-08-03 10:01:32 +00:00
workers Merge branch 'from/upstream-develop/tusooa/backup-status' into 'develop' 2023-06-27 12:08:11 +00:00
activity.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
announcement.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
announcement_read_relationship.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
application.ex Fix rel="me" 2023-02-20 12:24:32 -05:00
application_requirements.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
bookmark.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
caching.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
captcha.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
chat.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
clippy.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
config.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
config_db.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
constants.ex Restrict attachments to only uploaded files only 2023-07-18 18:39:59 -04:00
conversation.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
counter_cache.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
data_migration.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
delivery.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
ecto_enums.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
emoji-test.txt emoji-test: update to latest 15.0 draft 2022-08-20 00:21:07 +02:00
emoji.ex Allow custom emoji reactions: Add pleroma_custom_emoji_reactions feature, review changes 2023-03-12 11:39:17 +03:00
filter.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
following_relationship.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
formatter.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
frontend.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
gun.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
hashtag.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
healthcheck.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
html.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
http.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
instances.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
job_queue_monitor.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
jwt.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
keys.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
list.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
logging.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
maintenance.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
maps.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
marker.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
mfa.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
moderation_log.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
notification.ex Require related object for notifications to filter on content 2023-02-20 12:27:50 -05:00
object.ex Fix emoji reactions for legacy 2-tuple formats 2023-03-26 15:12:40 -04:00
object_tombstone.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
otp_version.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
pagination.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
password_reset_token.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
registration.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
release_tasks.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
repo.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
report_note.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
reverse_proxy.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
scheduled_activity.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
signature.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
stats.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
thread_mute.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
upload.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
user.ex User: Remove ap_enabled field 2023-05-05 11:11:26 +02:00
user_invite_token.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
user_note.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
user_relationship.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
utils.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
web.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
xml_builder.ex Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00