385492577d
mix: version 2.5.5
2023-09-03 11:19:26 +02:00
535a5ecad0
CommonAPI: Prevent users from accessing media of other users
...
commit 1afde067b1
2023-09-03 11:19:13 +02:00
1f4be2b349
Merge branch 'releases/2.5.4' into 'stable'
...
Release 2.5.4
See merge request pleroma/pleroma!3929
2023-08-05 08:12:25 +00:00
b631180b38
Release 2.5.4
2023-08-05 08:27:42 +02:00
cc848b78dc
Document and test that XXE processing is disabled
...
https://vuln.be/post/xxe-in-erlang-and-elixir/
2023-08-05 08:23:04 +02:00
77d57c974a
Add unit test for external entity loading
2023-08-05 08:23:04 +02:00
fc10e07ffb
Prevent XML parser from loading external entities
2023-08-05 08:23:04 +02:00
ff2f3862ab
Merge branch 'release/2.5.3' into 'stable'
...
Release 2.5.3
See merge request pleroma/pleroma!3926
2023-08-04 09:45:48 +00:00
57f7453748
Release 2.5.3
2023-08-04 09:49:53 +02:00
5ac2b7417d
test: Fix warnings
2023-08-04 09:49:53 +02:00
c37561214a
Force the use of amd64 runners for jobs using ci-base
2023-08-04 09:49:53 +02:00
76e408e42d
release_runtime_provider_test: chmod config for hardened permissions
...
Git doesn't manages file permissions precisely enough for us.
2023-08-04 09:49:53 +02:00
22df32b3f5
changelog: Entry for config permissions restrictions
...
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3135
2023-08-04 09:49:53 +02:00
bd7381f2f4
instance gen: Reduce permissions of pleroma directories and config files
2023-08-04 09:49:53 +02:00
4befb3b1d0
Config: Restrict permissions of OTP config file
2023-08-04 09:49:53 +02:00
18a0c923d0
Resolve information disclosure vulnerability through emoji pack archive download endpoint
...
The pack name has been sanitized so an attacker cannot upload a media
file called pack.json with their own handcrafted list of emoji files as
arbitrary files on the filesystem and then call the emoji pack archive
download endpoint with a pack name crafted to the location of the media
file they uploaded which tricks Pleroma into generating a zip file of
the target files the attacker wants to download.
The attack only works if the Pleroma instance does not have the
AnonymizeFilename upload filter enabled, which is currently the default.
Reported by: graf@poast.org
2023-08-04 08:39:55 +02:00
2d193861db
Merge branch 'release/2.5.2' into 'stable'
...
Security release 2.5.2
See merge request pleroma/pleroma!3863
2023-05-26 19:35:31 +00:00
7618e562b3
Version 2.5.2
2023-05-26 19:57:00 +02:00
4505bc1e58
Filter OEmbed HTML tags
2023-05-26 19:56:36 +02:00
d0c2e0830b
Enforce unauth restrictions for public streaming endpoints
2023-05-26 19:24:08 +02:00
b36263e5ff
Merge branch 'issue/3126' into 'develop'
...
MediaProxyController: Apply CSP sandbox
See merge request pleroma/pleroma!3890
2023-05-26 19:24:08 +02:00
4339230f64
Merge branch 'tusooa/fix-object-test' into 'develop'
...
Fix ObjectTest
See merge request pleroma/pleroma!3887
2023-05-26 19:24:08 +02:00
72833c84b5
Merge branch 'tusooa/rework-refetch' into 'develop'
...
Make sure object refetching follows update rules
See merge request pleroma/pleroma!3883
2023-05-26 19:24:08 +02:00
e4288df502
Merge branch 'background-timeout' into 'develop'
...
Set background worker timeout to 15 minutes
See merge request pleroma/pleroma!3857
2023-03-30 12:48:35 +02:00
ad38cc3b0c
Merge branch 'docs-otp-support' into 'develop'
...
docs: Be more explicit about the level of compatibility of OTP releases
See merge request pleroma/pleroma!3849
2023-03-30 12:48:12 +02:00
40f14fd31c
Merge branch 'remove-crypt' into 'develop'
...
Remove crypt(3) support
Closes #3030 and #3062
See merge request pleroma/pleroma!3847
2023-03-30 12:47:36 +02:00
937df7e465
Merge branch 'fix/tag-feed-crashes' into 'develop'
...
fix: atom/rss feed issues
Closes #3045
See merge request pleroma/pleroma!3851
2023-03-30 12:46:35 +02:00
d640df3927
Merge branch 'fix/static-fe-feed-500' into 'develop'
...
fix: remove static_fe pipeline for /users/:nickname/feed
See merge request pleroma/pleroma!3852
2023-03-30 12:45:39 +02:00
22b72cd6b8
Merge branch 'tusooa/oban-common-pipeline' into 'develop'
...
Stop oban from retrying if validating errors occur when processing incoming data
See merge request pleroma/pleroma!3844
2023-03-30 12:43:58 +02:00
fd46f83d2d
Merge branch 'release/2.5.1' into 'stable'
...
release: 2.5.1
See merge request pleroma/pleroma!3841
2023-03-02 00:50:02 +00:00
938e238ea1
Add the security fix to the changelog
2023-03-01 18:44:29 -05:00
e4925f813a
Sanitize filenames when uploading
2023-03-01 18:40:02 -05:00
5d34fe1868
Bundle frontend
2023-02-20 12:37:44 -05:00
75b76a0666
Bump version in mix project to 2.5.1
2023-02-20 12:32:45 -05:00
db06e445f1
Compose changelog for 2.5.1
2023-02-20 12:32:18 -05:00
410d50afe5
Ignores in exiftool read descriptions
2023-02-20 12:30:36 -05:00
c69ae5f7c7
Bump crypt to v1.0.1
2023-02-20 12:29:38 -05:00
bb9ed51da7
Update mix.exs
2023-02-20 12:28:52 -05:00
002159fc1c
Bump linkify
2023-02-20 12:28:52 -05:00
f2ed05191c
Test double dot link
2023-02-20 12:28:42 -05:00
0e89a9ad15
Test that zwnj is treated as word char in hashtags
2023-02-20 12:28:41 -05:00
c3a0703564
Require related object for notifications to filter on content
2023-02-20 12:27:50 -05:00
8e8a0f005c
Fix inproper content being cached in report content
2023-02-20 12:26:16 -05:00
772d99c582
Use versioned image from hexpm
2023-02-20 12:25:31 -05:00
1c225bfd6e
Allow customizing instance languages
2023-02-20 12:25:00 -05:00
1b82fd95d4
Remove unwanted code specific to MIX_ENV=test
2023-02-20 12:24:38 -05:00
88ce0e8b24
Fix rel="me"
...
Cachex for this was not started
2023-02-20 12:24:32 -05:00
3ab3404817
Fix block_from_stranger setting
2023-02-20 12:21:27 -05:00
d5125e6ce7
B StripLocation: Add test, work for all svgs.
2023-02-20 12:21:04 -05:00
e8fca8882a
Added SVG to formats not compatible with exiftool
2023-02-20 12:21:04 -05:00
Haelwenn (lanodan) Monnier