Lain Soykaf
f5978da676
HTTPSignaturePlugTest: Rewrite to use mox.
2024-05-28 14:00:25 +04:00
Lain Soykaf
3b4be5daa2
Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into pleroma-secure-mode
2024-05-28 12:31:12 +04:00
Lain Soykaf
687ac4a850
Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into auth-fetch-exception
2024-05-27 23:09:17 +04:00
lain
121791882f
Merge branch 'explicitly-allow-unsafe-2' into 'develop'
...
Explicitly allow unsafe 2
See merge request pleroma/pleroma!4125
2024-05-27 18:43:05 +00:00
Lain Soykaf
81e44ced0c
HTTPSecurityPlug: Fix tests
2024-05-27 22:13:20 +04:00
Lain Soykaf
1c699144d2
HttpSecurityPlug: Don't allow unsafe-eval by default
2024-05-27 21:26:40 +04:00
Lain Soykaf
c67506ba68
Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into auth-fetch-exception
2024-05-20 18:21:46 +04:00
Mark Felder
40823462e7
Logger metadata for request path and authenticated user
2024-03-19 12:15:10 -04:00
Mark Felder
97c4d3bcc9
Pleroma.Web.Plugs.RateLimiter.Supervisor: dialyzer error
...
lib/pleroma/web/plugs/rate_limiter/supervisor.ex:12:no_return
Function init/1 has no local return.
2024-01-31 13:12:56 -05:00
Mark Felder
5b95abaeea
Credo.Check.Readability.PredicateFunctionNames
...
This check was recently improved in Credo and it does make sense for readability.
The offending functions in Pleroma have been renamed and a couple missing the ? suffix have been fixed as well.
2024-01-26 16:59:58 -05:00
Mark Felder
18d38486a5
InetCidr.parse/2 is deprecated
2024-01-26 15:57:50 -05:00
marcin mikołajczak
017e35fbf1
Fix some more typos
...
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2023-12-28 00:17:04 +01:00
Mark Felder
9896b64f54
Elixir 1.15: Chase the Logger.warn deprecation
2023-12-20 20:16:26 +00:00
Haelwenn (lanodan) Monnier
086ba59d03
HTTPSignaturePlug: Add :authorized_fetch_mode_exceptions
2023-12-16 19:25:51 +01:00
Haelwenn (lanodan) Monnier
f271ea6e43
Move Plugs.RemoteIP.maybe_add_cidr/1 to InetHelper.parse_cidr/1
2023-12-16 18:23:26 +01:00
tusooa
3d09bc320e
Make lint happy
2023-08-30 20:36:52 -04:00
Haelwenn
1e685c8302
Merge branch 'csp-flash' into 'develop'
...
allow https: so that flash works across instances without need for media proxy
See merge request pleroma/pleroma!3879
2023-08-16 13:37:49 +00:00
Haelwenn
d838d1990b
Apply lanodan's suggestion(s) to 1 file(s)
2023-08-16 13:34:32 +00:00
Haelwenn (lanodan) Monnier
dd9f8150fc
Merge Revert "Merge branch 'validate-host' into 'develop'"
...
This reverts commit d998a114e2
, reversing
changes made to da6b4003ac
.
2023-06-22 21:28:25 +02:00
Sean King
a5a354a36e
Prevent bypassing authorized fetch mode with a json file
2023-06-21 23:10:56 -06:00
Mark Felder
b3c3bd99c3
Switch from serving a 400 to a 302
2023-05-30 16:56:09 -04:00
Mark Felder
da7394f33b
Fix unused assignment
2023-05-29 15:09:31 -04:00
Mark Felder
a60dd0d92d
Validate Host header matches expected value before allowing access to Uploads
2023-05-29 14:16:03 -04:00
Henry Jameson
2a07411b0c
keep the websocket url for all modes
2023-05-07 15:34:17 +03:00
Henry Jameson
f50fd9278f
reduce redundant reduntancy reduction
2023-05-07 15:29:19 +03:00
Henry Jameson
f8ef4924ec
fix whitespace
2023-05-07 15:24:09 +03:00
Henry Jameson
c0d11da2d8
conditionally set csp depnding on media-proxy state
2023-05-07 15:16:30 +03:00
HJ
675639225a
allow https: so that flash works across instances without need for media proxy
2023-04-28 11:13:42 +00:00
Haelwenn (lanodan) Monnier
2148ef5e2f
UploadedMedia: Increase readability via ~s sigil
2023-04-18 00:12:42 +02:00
Haelwenn (lanodan) Monnier
8f0f58e28b
UploadedMedia: Add missing disposition_type to Content-Disposition
...
Set it to `inline` because the vast majority of what's sent is multimedia
content while `attachment` would have the side-effect of triggering a
download dialog.
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3114
2023-04-18 00:09:19 +02:00
Haelwenn (lanodan) Monnier
5716654d12
Remove crypt(3) support
...
This was used to support migration from GNU Social, which was used by at least
shitposter.club, should be entirely irrelevant now.
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3030
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3062
2023-03-05 01:37:57 +01:00
lain
e853cfe7c3
Revert "Merge branch 'copyright-bump' into 'develop'"
...
This reverts merge request !3825
2023-01-02 20:38:50 +00:00
marcin mikołajczak
10886eeaa2
Bump copyright year
...
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2023-01-01 12:13:06 +01:00
marcin mikołajczak
6e51845d44
Merge remote-tracking branch 'pleroma/develop' into secure-mode
...
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2022-12-27 16:41:16 +01:00
Sean King
60df2d8a97
Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into fine_grained_moderation_privileges
2022-12-18 22:03:48 -07:00
HJ
a31d3589ed
Update http_security_plug.ex
2022-11-17 12:03:01 -05:00
HJ
79bd363a68
Update lib/pleroma/web/plugs/http_security_plug.ex
2022-11-17 12:03:01 -05:00
Henry Jameson
db76ea578a
try to fix ruffle on chrome
2022-11-17 12:03:01 -05:00
Thomas Citharel
bdedc41cbc
Fix typo in CSP Report-To header name
...
The header name was Report-To, not Reply-To.
In any case, that's now being changed to the Reporting-Endpoints HTTP
Response Header.
https://w3c.github.io/reporting/#header
https://github.com/w3c/reporting/issues/177
CanIUse says the Report-To header is still supported by current Chrome
and friends.
https://caniuse.com/mdn-http_headers_report-to
It doesn't have any data for the Reporting-Endpoints HTTP header, but
this article says Chrome 96 supports it.
https://web.dev/reporting-api/
(Even though that's come out one year ago, that's not compatible with
Network Error Logging which's still using the Report-To version of the
API)
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-11-04 09:43:13 +01:00
tusooa
f8afba95b2
Merge branch 'fix/gts-federation' into 'develop'
...
GoToSocial federation fixes
See merge request pleroma/pleroma!3725
2022-09-05 01:10:34 +00:00
Hélène
439c1baf25
OAuthPlug: use user cache instead of joining
...
As this plug is called on every request, this should reduce load on the
database by not requiring to select on the users table every single
time, and to instead use the by-ID user cache whenever possible.
2022-08-24 03:40:05 +02:00
Hélène
61254111e5
HttpSignaturePlug: accept standard (request-target)
...
The (request-target) used by Pleroma is non-standard, but many HTTP
signature implementations do it this way due to a misinterpretation of
the draft 06 of HTTP signatures: "path" was interpreted as not having
the query, though later examples show that it must be the absolute path
with the query part of the URL as well.
This behavior is kept to make sure most software (Pleroma itself,
Mastodon, and probably others) do not break, but Pleroma now accepts
signatures for a (request-target) containing the query, as expected by
many HTTP signature libraries, and clarified in the draft 11 of HTTP
signatures.
Additionally, the new draft renamed (request-target) to @request-target.
We now support both for incoming requests' signatures.
2022-08-18 17:01:34 +02:00
marcin mikołajczak
c899af1d6a
Reject requests from specified instances if `authorized_fetch_mode` is enabled
...
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2022-08-05 11:06:30 +02:00
Ilja
c0e4b1b3e2
Fix typo's
...
priviledge |-> privilege
2022-07-02 07:52:39 +02:00
Ilja
5a65e2dac5
Remove privileged_staff
...
Everything that was done through this setting, can now be set by giving the proper privileges to the roles.
2022-06-21 12:10:27 +02:00
Ilja
5b19543f0a
Add new setting and Plug to allow for privilege settings for staff
2022-06-21 12:10:26 +02:00
Tusooa Zhu
57c030a0a7
Skip cache when /objects or /activities is authenticated
...
Ref: fix-local-public
2022-05-06 10:23:26 +02:00
Tusooa Zhu
e2d24eda57
Allow to skip cache in Cache plug
...
Ref: fix-local-public
2022-05-06 10:23:26 +02:00
Haelwenn
d7c53da77a
Merge branch 'from/upstream-develop/tusooa/translate-pages' into 'develop'
...
Translate backend-rendered pages
See merge request pleroma/pleroma!3634
2022-03-20 18:14:37 +00:00
Tusooa Zhu
aca11fb70e
Support multiple locales from userLanguage cookie
2022-03-03 02:31:36 -05:00