ca0859b90f
Prevent XML parser from loading external entities
2023-08-04 22:35:13 -04:00
0e321698d2
gentoo_otp_en.md: Indicate which install method it covers
2023-08-04 17:11:20 +02:00
ff2f3862ab
Merge branch 'release/2.5.3' into 'stable'
...
Release 2.5.3
See merge request pleroma/pleroma!3926
2023-08-04 09:45:48 +00:00
1062185ba0
Merge branch 'mergeback/2.5.3' into 'develop'
...
Mergeback: 2.5.3
Closes #3135
See merge request pleroma/pleroma!3927
2023-08-04 09:38:01 +00:00
6a0fd77c48
Release 2.5.53
2023-08-04 09:50:28 +02:00
65ef8f19c5
release_runtime_provider_test: chmod config for hardened permissions
...
Git doesn't manages file permissions precisely enough for us.
2023-08-04 09:50:28 +02:00
9f0ad901ed
changelog: Entry for config permissions restrictions
...
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3135
2023-08-04 09:50:28 +02:00
69caedc591
instance gen: Reduce permissions of pleroma directories and config files
2023-08-04 09:50:28 +02:00
8cc8100120
Config: Restrict permissions of OTP config file
2023-08-04 09:50:28 +02:00
57f7453748
Release 2.5.3
2023-08-04 09:49:53 +02:00
5ac2b7417d
test: Fix warnings
2023-08-04 09:49:53 +02:00
c37561214a
Force the use of amd64 runners for jobs using ci-base
2023-08-04 09:49:53 +02:00
76e408e42d
release_runtime_provider_test: chmod config for hardened permissions
...
Git doesn't manages file permissions precisely enough for us.
2023-08-04 09:49:53 +02:00
22df32b3f5
changelog: Entry for config permissions restrictions
...
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3135
2023-08-04 09:49:53 +02:00
bd7381f2f4
instance gen: Reduce permissions of pleroma directories and config files
2023-08-04 09:49:53 +02:00
4befb3b1d0
Config: Restrict permissions of OTP config file
2023-08-04 09:49:53 +02:00
2c79509453
Resolve information disclosure vulnerability through emoji pack archive download endpoint
...
The pack name has been sanitized so an attacker cannot upload a media
file called pack.json with their own handcrafted list of emoji files as
arbitrary files on the filesystem and then call the emoji pack archive
download endpoint with a pack name crafted to the location of the media
file they uploaded which tricks Pleroma into generating a zip file of
the target files the attacker wants to download.
The attack only works if the Pleroma instance does not have the
AnonymizeFilename upload filter enabled, which is currently the default.
Reported by: graf@poast.org
2023-08-04 08:40:27 +02:00
18a0c923d0
Resolve information disclosure vulnerability through emoji pack archive download endpoint
...
The pack name has been sanitized so an attacker cannot upload a media
file called pack.json with their own handcrafted list of emoji files as
arbitrary files on the filesystem and then call the emoji pack archive
download endpoint with a pack name crafted to the location of the media
file they uploaded which tricks Pleroma into generating a zip file of
the target files the attacker wants to download.
The attack only works if the Pleroma instance does not have the
AnonymizeFilename upload filter enabled, which is currently the default.
Reported by: graf@poast.org
2023-08-04 08:39:55 +02:00
819fccb7d1
Merge branch 'tusooa/3154-attachment-type-check' into 'develop'
...
Restrict attachments to only uploaded files only
Closes #3154
See merge request pleroma/pleroma!3923
2023-08-03 10:01:32 +00:00
b08cbe76f1
Merge branch 'fix/2927-disallow-unauthenticated-access' into 'develop'
...
/api/v1/statuses/:id/context: filter context activities using Visibility.visible_for_user?/2
See merge request pleroma/pleroma!3801
2023-07-28 15:05:46 +00:00
11ce81d4af
add changelog entry
2023-07-28 18:49:05 +05:00
e5e76ec445
cleaner ecto query to handle restrict_unauthenticated for activities
...
This fix is for this case:
config :pleroma, :restrict_unauthenticated,
activities: %{local: true, remote: true}
2023-07-28 18:45:59 +05:00
dc4de79d43
status context: perform visibility check on activities around a status
...
issue #2927
2023-07-28 18:45:59 +05:00
ea4225a646
Restrict attachments to only uploaded files only
2023-07-18 18:39:59 -04:00
93ad16cca0
Merge branch '2023-06-deps-update' into 'develop'
...
2023-06 deps update + de-override plug
See merge request pleroma/pleroma!3911
2023-07-17 20:37:47 +00:00
e38207162b
Merge branch 'tusooa/2775-emoji-policy' into 'develop'
...
EmojiPolicy
Closes #2775
See merge request pleroma/pleroma!3842
2023-07-07 16:27:30 +00:00
1459d64508
Make regex-to-string descriptor reusable
2023-07-07 07:09:35 -04:00
ba3aa4f86d
Fix edge cases
2023-07-07 06:58:32 -04:00
0d914e17be
Add changelog
2023-07-07 06:58:32 -04:00
d670dbdbd3
Test that unicode emoji reactions are not affected
2023-07-07 06:58:32 -04:00
ef8a6c539a
Make EmojiPolicy aware of custom emoji reactions
2023-07-07 06:58:31 -04:00
20d193c91d
Improve config examples for EmojiPolicy
2023-07-07 06:58:31 -04:00
18a8378beb
Update config cheatsheet
2023-07-07 06:58:31 -04:00
f50422c380
Move emoji_policy.ex to the right place
2023-07-07 06:58:31 -04:00
7eb8abf7bb
EmojiPolicy: Implement delist
2023-07-07 06:58:31 -04:00
80ce6482f6
EmojiPolicy: implement remove by shortcode
2023-07-07 06:58:31 -04:00
28ff828caa
Add emoji policy to remove emojis matching certain urls
...
https://git.pleroma.social/pleroma/pleroma/-/issues/2775
2023-07-07 06:58:22 -04:00
7da6a82dbd
Merge branch 'deprecate-scrobbles' into 'develop'
...
Deprecate audio scrobbling
See merge request pleroma/pleroma!3919
2023-07-04 02:46:10 +00:00
624a5ccb2e
Merge branch 'hotfix/docs-broken-links' into 'develop'
...
docs: Fix broken links
See merge request pleroma/pleroma!3920
2023-07-04 02:26:19 +00:00
0c3709173f
docs: Fix broken links
2023-07-04 04:23:48 +02:00
53f4d6f238
Merge branch 'fix/pipeline-triggers' into 'develop'
...
CI: Fix pipeline tokens & exit status
See merge request pleroma/pleroma!3918
2023-07-04 02:04:24 +00:00
3d79ceb23a
Deprecate audio scrobbling
2023-07-04 03:40:11 +02:00
8c3363a5e7
CI: Use CI_JOB_TOKEN for cross-repo pipeline triggers
2023-07-04 03:25:37 +02:00
10249d1e42
CI: Let curl return non-0 on http failure code
...
Otherwise it silently fails
2023-07-04 03:24:13 +02:00
6fbbf80800
Merge branch 'gentoo_otp' into 'develop'
...
Packaged installation guide for gentoo
See merge request pleroma/pleroma!3906
2023-07-03 21:04:23 +00:00
2b9cd25cf4
Merge branch 'tusooa/media-altdomain' into 'develop'
...
Add instructions to serve media on another domain
See merge request pleroma/pleroma!3892
2023-07-02 21:30:16 +00:00
0262916978
Merge branch 'testfix/system-config-use' into 'develop'
...
release_runtime_provider_test: Explicitely use non-existant config file
See merge request pleroma/pleroma!3910
2023-07-02 21:28:15 +00:00
a31a4c522f
Merge branch 'tusooa/3131-handle-report-from-deactivated-user' into 'develop'
...
Fix handling report from a deactivated user
Closes #3131
See merge request pleroma/pleroma!3915
2023-07-02 21:27:15 +00:00
379590d438
Merge branch 'tusooa/3142-featured-collection-shouldnt-break-user-fetch' into 'develop'
...
Fix user fetch completely broken if featured collection is not in a supported form
See merge request pleroma/pleroma!3914
2023-07-02 21:25:45 +00:00
8cf231c0d1
Merge branch 'tusooa/3151-amd64-runner' into 'develop'
...
Force the use of amd64 runners for jobs using ci-base
Closes #3151
See merge request pleroma/pleroma!3913
2023-07-02 20:20:49 +00:00
Mae