f5978da676
HTTPSignaturePlugTest: Rewrite to use mox.
2024-05-28 14:00:25 +04:00
3b4be5daa2
Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into pleroma-secure-mode
2024-05-28 12:31:12 +04:00
687ac4a850
Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into auth-fetch-exception
2024-05-27 23:09:17 +04:00
121791882f
Merge branch 'explicitly-allow-unsafe-2' into 'develop'
...
Explicitly allow unsafe 2
See merge request pleroma/pleroma!4125
2024-05-27 18:43:05 +00:00
81e44ced0c
HTTPSecurityPlug: Fix tests
2024-05-27 22:13:20 +04:00
1c699144d2
HttpSecurityPlug: Don't allow unsafe-eval by default
2024-05-27 21:26:40 +04:00
c67506ba68
Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into auth-fetch-exception
2024-05-20 18:21:46 +04:00
40823462e7
Logger metadata for request path and authenticated user
2024-03-19 12:15:10 -04:00
97c4d3bcc9
Pleroma.Web.Plugs.RateLimiter.Supervisor: dialyzer error
...
lib/pleroma/web/plugs/rate_limiter/supervisor.ex:12:no_return
Function init/1 has no local return.
2024-01-31 13:12:56 -05:00
5b95abaeea
Credo.Check.Readability.PredicateFunctionNames
...
This check was recently improved in Credo and it does make sense for readability.
The offending functions in Pleroma have been renamed and a couple missing the ? suffix have been fixed as well.
2024-01-26 16:59:58 -05:00
18d38486a5
InetCidr.parse/2 is deprecated
2024-01-26 15:57:50 -05:00
017e35fbf1
Fix some more typos
...
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2023-12-28 00:17:04 +01:00
9896b64f54
Elixir 1.15: Chase the Logger.warn deprecation
2023-12-20 20:16:26 +00:00
086ba59d03
HTTPSignaturePlug: Add :authorized_fetch_mode_exceptions
2023-12-16 19:25:51 +01:00
f271ea6e43
Move Plugs.RemoteIP.maybe_add_cidr/1 to InetHelper.parse_cidr/1
2023-12-16 18:23:26 +01:00
3d09bc320e
Make lint happy
2023-08-30 20:36:52 -04:00
1e685c8302
Merge branch 'csp-flash' into 'develop'
...
allow https: so that flash works across instances without need for media proxy
See merge request pleroma/pleroma!3879
2023-08-16 13:37:49 +00:00
d838d1990b
Apply lanodan's suggestion(s) to 1 file(s)
2023-08-16 13:34:32 +00:00
dd9f8150fc
Merge Revert "Merge branch 'validate-host' into 'develop'"
...
This reverts commit d998a114e2da6b4003ac
2023-06-22 21:28:25 +02:00
a5a354a36e
Prevent bypassing authorized fetch mode with a json file
2023-06-21 23:10:56 -06:00
b3c3bd99c3
Switch from serving a 400 to a 302
2023-05-30 16:56:09 -04:00
da7394f33b
Fix unused assignment
2023-05-29 15:09:31 -04:00
a60dd0d92d
Validate Host header matches expected value before allowing access to Uploads
2023-05-29 14:16:03 -04:00
2a07411b0c
keep the websocket url for all modes
2023-05-07 15:34:17 +03:00
f50fd9278f
reduce redundant reduntancy reduction
2023-05-07 15:29:19 +03:00
f8ef4924ec
fix whitespace
2023-05-07 15:24:09 +03:00
c0d11da2d8
conditionally set csp depnding on media-proxy state
2023-05-07 15:16:30 +03:00
675639225a
allow https: so that flash works across instances without need for media proxy
2023-04-28 11:13:42 +00:00
2148ef5e2f
UploadedMedia: Increase readability via ~s sigil
2023-04-18 00:12:42 +02:00
8f0f58e28b
UploadedMedia: Add missing disposition_type to Content-Disposition
...
Set it to `inline` because the vast majority of what's sent is multimedia
content while `attachment` would have the side-effect of triggering a
download dialog.
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3114
2023-04-18 00:09:19 +02:00
5716654d12
Remove crypt(3) support
...
This was used to support migration from GNU Social, which was used by at least
shitposter.club, should be entirely irrelevant now.
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3030
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3062
2023-03-05 01:37:57 +01:00
e853cfe7c3
Revert "Merge branch 'copyright-bump' into 'develop'"
...
This reverts merge request !3825
2023-01-02 20:38:50 +00:00
10886eeaa2
Bump copyright year
...
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2023-01-01 12:13:06 +01:00
6e51845d44
Merge remote-tracking branch 'pleroma/develop' into secure-mode
...
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2022-12-27 16:41:16 +01:00
60df2d8a97
Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into fine_grained_moderation_privileges
2022-12-18 22:03:48 -07:00
a31d3589ed
Update http_security_plug.ex
2022-11-17 12:03:01 -05:00
79bd363a68
Update lib/pleroma/web/plugs/http_security_plug.ex
2022-11-17 12:03:01 -05:00
db76ea578a
try to fix ruffle on chrome
2022-11-17 12:03:01 -05:00
bdedc41cbc
Fix typo in CSP Report-To header name
...
The header name was Report-To, not Reply-To.
In any case, that's now being changed to the Reporting-Endpoints HTTP
Response Header.
https://w3c.github.io/reporting/#header
https://github.com/w3c/reporting/issues/177
CanIUse says the Report-To header is still supported by current Chrome
and friends.
https://caniuse.com/mdn-http_headers_report-to
It doesn't have any data for the Reporting-Endpoints HTTP header, but
this article says Chrome 96 supports it.
https://web.dev/reporting-api/
(Even though that's come out one year ago, that's not compatible with
Network Error Logging which's still using the Report-To version of the
API)
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-11-04 09:43:13 +01:00
f8afba95b2
Merge branch 'fix/gts-federation' into 'develop'
...
GoToSocial federation fixes
See merge request pleroma/pleroma!3725
2022-09-05 01:10:34 +00:00
439c1baf25
OAuthPlug: use user cache instead of joining
...
As this plug is called on every request, this should reduce load on the
database by not requiring to select on the users table every single
time, and to instead use the by-ID user cache whenever possible.
2022-08-24 03:40:05 +02:00
61254111e5
HttpSignaturePlug: accept standard (request-target)
...
The (request-target) used by Pleroma is non-standard, but many HTTP
signature implementations do it this way due to a misinterpretation of
the draft 06 of HTTP signatures: "path" was interpreted as not having
the query, though later examples show that it must be the absolute path
with the query part of the URL as well.
This behavior is kept to make sure most software (Pleroma itself,
Mastodon, and probably others) do not break, but Pleroma now accepts
signatures for a (request-target) containing the query, as expected by
many HTTP signature libraries, and clarified in the draft 11 of HTTP
signatures.
Additionally, the new draft renamed (request-target) to @request-target.
We now support both for incoming requests' signatures.
2022-08-18 17:01:34 +02:00
c899af1d6a
Reject requests from specified instances if `authorized_fetch_mode` is enabled
...
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2022-08-05 11:06:30 +02:00
c0e4b1b3e2
Fix typo's
...
priviledge |-> privilege
2022-07-02 07:52:39 +02:00
5a65e2dac5
Remove privileged_staff
...
Everything that was done through this setting, can now be set by giving the proper privileges to the roles.
2022-06-21 12:10:27 +02:00
5b19543f0a
Add new setting and Plug to allow for privilege settings for staff
2022-06-21 12:10:26 +02:00
57c030a0a7
Skip cache when /objects or /activities is authenticated
...
Ref: fix-local-public
2022-05-06 10:23:26 +02:00
e2d24eda57
Allow to skip cache in Cache plug
...
Ref: fix-local-public
2022-05-06 10:23:26 +02:00
d7c53da77a
Merge branch 'from/upstream-develop/tusooa/translate-pages' into 'develop'
...
Translate backend-rendered pages
See merge request pleroma/pleroma!3634
2022-03-20 18:14:37 +00:00
aca11fb70e
Support multiple locales from userLanguage cookie
2022-03-03 02:31:36 -05:00
Lain Soykaf