moon
/
spc-pleroma
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14,833 Commits 2 Branches 0 Tags 208 MiB
Commit Graph

5728 Commits

Author SHA1 Message Date
Mint 535a5ecad0 CommonAPI: Prevent users from accessing media of other users 
commit 1afde067b1 upstream.
 2023-09-03 11:19:13 +02:00
FloatingGhost 77d57c974a Add unit test for external entity loading 2023-08-05 08:23:04 +02:00
Haelwenn (lanodan) Monnier 5ac2b7417d test: Fix warnings 2023-08-04 09:49:53 +02:00
Haelwenn (lanodan) Monnier 76e408e42d release_runtime_provider_test: chmod config for hardened permissions 
Git doesn't manages file permissions precisely enough for us.
 2023-08-04 09:49:53 +02:00
Mark Felder 18a0c923d0 Resolve information disclosure vulnerability through emoji pack archive download endpoint 
The pack name has been sanitized so an attacker cannot upload a media
file called pack.json with their own handcrafted list of emoji files as
arbitrary files on the filesystem and then call the emoji pack archive
download endpoint with a pack name crafted to the location of the media
file they uploaded which tricks Pleroma into generating a zip file of
the target files the attacker wants to download.

The attack only works if the Pleroma instance does not have the
AnonymizeFilename upload filter enabled, which is currently the default.

Reported by: graf@poast.org
 2023-08-04 08:39:55 +02:00
Mark Felder 4505bc1e58 Filter OEmbed HTML tags 2023-05-26 19:56:36 +02:00
tusooa d0c2e0830b Enforce unauth restrictions for public streaming endpoints 2023-05-26 19:24:08 +02:00
Haelwenn b36263e5ff Merge branch 'issue/3126' into 'develop' 
MediaProxyController: Apply CSP sandbox

See merge request pleroma/pleroma!3890
 2023-05-26 19:24:08 +02:00
Haelwenn 72833c84b5 Merge branch 'tusooa/rework-refetch' into 'develop' 
Make sure object refetching follows update rules

See merge request pleroma/pleroma!3883
 2023-05-26 19:24:08 +02:00
tusooa 40f14fd31c Merge branch 'remove-crypt' into 'develop' 
Remove crypt(3) support

Closes #3030 and #3062

See merge request pleroma/pleroma!3847
 2023-03-30 12:47:36 +02:00
Haelwenn 937df7e465 Merge branch 'fix/tag-feed-crashes' into 'develop' 
fix: atom/rss feed issues

Closes #3045

See merge request pleroma/pleroma!3851
 2023-03-30 12:46:35 +02:00
Haelwenn 22b72cd6b8 Merge branch 'tusooa/oban-common-pipeline' into 'develop' 
Stop oban from retrying if validating errors occur when processing incoming data

See merge request pleroma/pleroma!3844
 2023-03-30 12:43:58 +02:00
tusooa e4925f813a
Sanitize filenames when uploading 2023-03-01 18:40:02 -05:00
tusooa 410d50afe5
Ignores in exiftool read descriptions 2023-02-20 12:30:36 -05:00
tusooa f2ed05191c
Test double dot link 2023-02-20 12:28:42 -05:00
tusooa 0e89a9ad15
Test that zwnj is treated as word char in hashtags 2023-02-20 12:28:41 -05:00
Alexander Tumin c3a0703564
Require related object for notifications to filter on content 2023-02-20 12:27:50 -05:00
tusooa 8e8a0f005c
Fix inproper content being cached in report content 2023-02-20 12:26:16 -05:00
tusooa 1c225bfd6e
Allow customizing instance languages 2023-02-20 12:25:00 -05:00
tusooa 3ab3404817
Fix block_from_stranger setting 2023-02-20 12:21:27 -05:00
Lain Soykaf d5125e6ce7
B StripLocation: Add test, work for all svgs. 2023-02-20 12:21:04 -05:00
tusooa 259905a893
Bump earmark to 1.4.22 2023-02-20 12:20:29 -05:00
Haelwenn (lanodan) Monnier 5ce7db455c Git merge is not my favorite tool 2022-12-23 17:07:26 +01:00
Haelwenn (lanodan) Monnier 3fbd42061c Revert "Delete report notifs when demoting from superuser" 
This reverts commit 4504c81080.
 2022-12-23 17:06:09 +01:00
Haelwenn (lanodan) Monnier 7d68d64d63 Merge back 2.4.5 2022-12-23 17:05:05 +01:00
Sean King e07fb6e7dc Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into fine_grained_moderation_privileges 2022-12-19 22:02:44 -07:00
lain 0840ce5671 Merge branch 'deletion-resilience' into 'develop' 
Deletion resilience

See merge request pleroma/pleroma!3237
 2022-12-20 03:07:59 +00:00
Sean King d5d4c7c11d Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into fine_grained_moderation_privileges 2022-12-19 18:48:26 -07:00
lain c6dff687c0 Merge branch 'from/upstream/develop/tusooa/mrf-updates' into 'develop' 
MRFs with Updates

See merge request pleroma/pleroma!3808
 2022-12-20 00:51:41 +00:00
Sean King 1d95012758 Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into fine_grained_moderation_privileges 2022-12-19 17:48:11 -07:00
lain 3dfa009ec3 Merge branch 'develop' into 'fix/2980-rss-feed-generation' 
# Conflicts:
#   CHANGELOG.md
 2022-12-19 23:43:23 +00:00
Mark Felder 72d4d1b392 Fix TwitterCard meta tags 
TwitterCard meta tags are supposed to use the attributes "name" and "content".
OpenGraph tags use the attributes "property" and "content".

Twitter itself is smart enough to detect broken meta tags and discover the TwitterCard
using "property" and "content", but other platforms that only implement parsing of TwitterCards
and not OpenGraph may fail to correctly detect the tags as they're under the wrong attributes.

> "Open Graph protocol also specifies the use of property and content attributes for markup while
> Twitter cards use name and content. Twitter’s parser will fall back to using property and content,
> so there is no need to modify existing Open Graph protocol markup if it already exists." [0]

[0] https://developer.twitter.com/en/docs/twitter-for-websites/cards/guides/getting-started
 2022-12-19 17:23:12 -05:00
Sean King 60df2d8a97
Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into fine_grained_moderation_privileges 2022-12-18 22:03:48 -07:00
faried nawaz fce2998481
use to_rfc2822 instead of pub_date in tests, too 2022-12-19 01:44:47 +05:00
faried nawaz c49316faee
modify user feed controller test to expect summary for title 2022-12-19 01:44:47 +05:00
faried nawaz f597b1b3e6
remove ap_id test -- the element makes the feed break 2022-12-19 01:44:46 +05:00
tusooa a3985aac91 Merge branch 'fix-2856' into 'develop' 
Uploading an avatar media exceeding max size returns a 413

Closes #2856

See merge request pleroma/pleroma!3804
 2022-12-16 16:15:36 +00:00
lain 301eb86b35 Merge branch 'update-deps' into 'develop' 
Update to Phoenix 1.6, Elixir 1.11, and chase dependencies

See merge request pleroma/pleroma!3766
 2022-12-16 00:36:59 +00:00
Lain Soykaf bb27e4134b AudioVideoValidator: Fix embedded attachment requirements 2022-12-15 18:06:28 -05:00
Lain Soykaf 9838790a7d AttachmentValidator: Actually require url 2022-12-15 17:46:20 -05:00
tusooa 2554028097
Make SimplePolicy Update-aware 
This is inspired by d5828f1c5e
 2022-12-15 11:57:45 -05:00
tusooa dc7efcd08b
Make TagPolicy Update-aware 
This is inspired by d5828f1c5e
 2022-12-15 11:08:24 -05:00
tusooa 62c27e0164
Fix failure when registering a user with no email when approval required 2022-12-14 01:04:42 -05:00
duponin 9876742358 Return 413 when an actor's banner or background exceeds the size limit 2022-12-11 23:15:08 +01:00
duponin 452595baed Uploading an avatar media exceeding max size returns a 413 
Until now it was returning a 500 because the upload plug were going
through the changeset and ending in the JSON encoder, which raised
because struct has to @derive the encoder.
 2022-12-11 22:54:47 +01:00
Haelwenn 204fd6faae Merge branch 'from/upstream-develop/tusooa/report-fake' into 'develop' 
Report an Object, not a Create Activity

Closes #2986

See merge request pleroma/pleroma!3788
 2022-12-09 14:25:24 +00:00
tusooa da0c684344
Add tests for flagging non-Create activities 2022-12-08 20:51:08 -05:00
Haelwenn 3394394e0f Merge branch 'develop' into 'develop' 
Change follow_operation schema to use type BooleanLike

Closes #2999

See merge request pleroma/pleroma!3787
 2022-11-28 00:13:35 +00:00
ave 0f88c2bca4 Change follow_operation schema to use type BooleanLike 2022-11-28 00:13:34 +00:00
Haelwenn 36789986c0 Merge branch 'mergeback/2.4.5' into 'develop' 
Mergeback: 2.4.5

See merge request pleroma/pleroma!3794
 2022-11-27 21:24:44 +00:00