Commit Graph

123 Commits

Author SHA1 Message Date
Lain Soykaf f5978da676 HTTPSignaturePlugTest: Rewrite to use mox. 2024-05-28 14:00:25 +04:00
Lain Soykaf 3b4be5daa2 Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into pleroma-secure-mode 2024-05-28 12:31:12 +04:00
Lain Soykaf 687ac4a850 Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into auth-fetch-exception 2024-05-27 23:09:17 +04:00
lain 121791882f Merge branch 'explicitly-allow-unsafe-2' into 'develop'
Explicitly allow unsafe 2

See merge request pleroma/pleroma!4125
2024-05-27 18:43:05 +00:00
Lain Soykaf 81e44ced0c HTTPSecurityPlug: Fix tests 2024-05-27 22:13:20 +04:00
Lain Soykaf 1c699144d2 HttpSecurityPlug: Don't allow unsafe-eval by default 2024-05-27 21:26:40 +04:00
Lain Soykaf c67506ba68 Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into auth-fetch-exception 2024-05-20 18:21:46 +04:00
Mark Felder 40823462e7 Logger metadata for request path and authenticated user 2024-03-19 12:15:10 -04:00
Mark Felder 97c4d3bcc9 Pleroma.Web.Plugs.RateLimiter.Supervisor: dialyzer error
lib/pleroma/web/plugs/rate_limiter/supervisor.ex:12:no_return
Function init/1 has no local return.
2024-01-31 13:12:56 -05:00
Mark Felder 5b95abaeea Credo.Check.Readability.PredicateFunctionNames
This check was recently improved in Credo and it does make sense for readability.

The offending functions in Pleroma have been renamed and a couple missing the ? suffix have been fixed as well.
2024-01-26 16:59:58 -05:00
Mark Felder 18d38486a5 InetCidr.parse/2 is deprecated 2024-01-26 15:57:50 -05:00
marcin mikołajczak 017e35fbf1 Fix some more typos
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2023-12-28 00:17:04 +01:00
Mark Felder 9896b64f54 Elixir 1.15: Chase the Logger.warn deprecation 2023-12-20 20:16:26 +00:00
Haelwenn (lanodan) Monnier 086ba59d03 HTTPSignaturePlug: Add :authorized_fetch_mode_exceptions 2023-12-16 19:25:51 +01:00
Haelwenn (lanodan) Monnier f271ea6e43 Move Plugs.RemoteIP.maybe_add_cidr/1 to InetHelper.parse_cidr/1 2023-12-16 18:23:26 +01:00
tusooa 3d09bc320e
Make lint happy 2023-08-30 20:36:52 -04:00
Haelwenn 1e685c8302 Merge branch 'csp-flash' into 'develop'
allow https: so that flash works across instances without need for media proxy

See merge request pleroma/pleroma!3879
2023-08-16 13:37:49 +00:00
Haelwenn d838d1990b Apply lanodan's suggestion(s) to 1 file(s) 2023-08-16 13:34:32 +00:00
Haelwenn (lanodan) Monnier dd9f8150fc Merge Revert "Merge branch 'validate-host' into 'develop'"
This reverts commit d998a114e2, reversing
changes made to da6b4003ac.
2023-06-22 21:28:25 +02:00
Sean King a5a354a36e
Prevent bypassing authorized fetch mode with a json file 2023-06-21 23:10:56 -06:00
Mark Felder b3c3bd99c3 Switch from serving a 400 to a 302 2023-05-30 16:56:09 -04:00
Mark Felder da7394f33b Fix unused assignment 2023-05-29 15:09:31 -04:00
Mark Felder a60dd0d92d Validate Host header matches expected value before allowing access to Uploads 2023-05-29 14:16:03 -04:00
Henry Jameson 2a07411b0c keep the websocket url for all modes 2023-05-07 15:34:17 +03:00
Henry Jameson f50fd9278f reduce redundant reduntancy reduction 2023-05-07 15:29:19 +03:00
Henry Jameson f8ef4924ec fix whitespace 2023-05-07 15:24:09 +03:00
Henry Jameson c0d11da2d8 conditionally set csp depnding on media-proxy state 2023-05-07 15:16:30 +03:00
HJ 675639225a allow https: so that flash works across instances without need for media proxy 2023-04-28 11:13:42 +00:00
Haelwenn (lanodan) Monnier 2148ef5e2f UploadedMedia: Increase readability via ~s sigil 2023-04-18 00:12:42 +02:00
Haelwenn (lanodan) Monnier 8f0f58e28b UploadedMedia: Add missing disposition_type to Content-Disposition
Set it to `inline` because the vast majority of what's sent is multimedia
content while `attachment` would have the side-effect of triggering a
download dialog.

Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3114
2023-04-18 00:09:19 +02:00
Haelwenn (lanodan) Monnier 5716654d12 Remove crypt(3) support
This was used to support migration from GNU Social, which was used by at least
shitposter.club, should be entirely irrelevant now.

Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3030
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3062
2023-03-05 01:37:57 +01:00
lain e853cfe7c3 Revert "Merge branch 'copyright-bump' into 'develop'"
This reverts merge request !3825
2023-01-02 20:38:50 +00:00
marcin mikołajczak 10886eeaa2 Bump copyright year
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2023-01-01 12:13:06 +01:00
marcin mikołajczak 6e51845d44 Merge remote-tracking branch 'pleroma/develop' into secure-mode
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2022-12-27 16:41:16 +01:00
Sean King 60df2d8a97
Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into fine_grained_moderation_privileges 2022-12-18 22:03:48 -07:00
HJ a31d3589ed Update http_security_plug.ex 2022-11-17 12:03:01 -05:00
HJ 79bd363a68 Update lib/pleroma/web/plugs/http_security_plug.ex 2022-11-17 12:03:01 -05:00
Henry Jameson db76ea578a try to fix ruffle on chrome 2022-11-17 12:03:01 -05:00
Thomas Citharel bdedc41cbc
Fix typo in CSP Report-To header name
The header name was Report-To, not Reply-To.

In any case, that's now being changed to the Reporting-Endpoints HTTP
Response Header.
https://w3c.github.io/reporting/#header
https://github.com/w3c/reporting/issues/177

CanIUse says the Report-To header is still supported by current Chrome
and friends.
https://caniuse.com/mdn-http_headers_report-to

It doesn't have any data for the Reporting-Endpoints HTTP header, but
this article says Chrome 96 supports it.
https://web.dev/reporting-api/

(Even though that's come out one year ago, that's not compatible with
Network Error Logging which's still using the Report-To version of the
API)

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-11-04 09:43:13 +01:00
tusooa f8afba95b2 Merge branch 'fix/gts-federation' into 'develop'
GoToSocial federation fixes

See merge request pleroma/pleroma!3725
2022-09-05 01:10:34 +00:00
Hélène 439c1baf25
OAuthPlug: use user cache instead of joining
As this plug is called on every request, this should reduce load on the
database by not requiring to select on the users table every single
time, and to instead use the by-ID user cache whenever possible.
2022-08-24 03:40:05 +02:00
Hélène 61254111e5
HttpSignaturePlug: accept standard (request-target)
The (request-target) used by Pleroma is non-standard, but many HTTP
signature implementations do it this way due to a misinterpretation of
the draft 06 of HTTP signatures: "path" was interpreted as not having
the query, though later examples show that it must be the absolute path
with the query part of the URL as well.

This behavior is kept to make sure most software (Pleroma itself,
Mastodon, and probably others) do not break, but Pleroma now accepts
signatures for a (request-target) containing the query, as expected by
many HTTP signature libraries, and clarified in the draft 11 of HTTP
signatures.

Additionally, the new draft renamed (request-target) to @request-target.
We now support both for incoming requests' signatures.
2022-08-18 17:01:34 +02:00
marcin mikołajczak c899af1d6a Reject requests from specified instances if `authorized_fetch_mode` is enabled
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2022-08-05 11:06:30 +02:00
Ilja c0e4b1b3e2 Fix typo's
priviledge |-> privilege
2022-07-02 07:52:39 +02:00
Ilja 5a65e2dac5 Remove privileged_staff
Everything that was done through this setting, can now be set by giving the proper privileges to the roles.
2022-06-21 12:10:27 +02:00
Ilja 5b19543f0a Add new setting and Plug to allow for privilege settings for staff 2022-06-21 12:10:26 +02:00
Tusooa Zhu 57c030a0a7 Skip cache when /objects or /activities is authenticated
Ref: fix-local-public
2022-05-06 10:23:26 +02:00
Tusooa Zhu e2d24eda57 Allow to skip cache in Cache plug
Ref: fix-local-public
2022-05-06 10:23:26 +02:00
Haelwenn d7c53da77a Merge branch 'from/upstream-develop/tusooa/translate-pages' into 'develop'
Translate backend-rendered pages

See merge request pleroma/pleroma!3634
2022-03-20 18:14:37 +00:00
Tusooa Zhu aca11fb70e
Support multiple locales from userLanguage cookie 2022-03-03 02:31:36 -05:00