Update Changelog
This commit is contained in:
parent
0648d9ebaa
commit
ee7d98b093
1 changed files with 21 additions and 1 deletions
22
CHANGELOG.md
22
CHANGELOG.md
|
@ -7,17 +7,37 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
## Unreleased
|
## Unreleased
|
||||||
|
|
||||||
## Added
|
## Added
|
||||||
|
- CLI tasks best-effort checking for past abuse of the recent spoofing exploit
|
||||||
|
- new `:mrf_steal_emoji, :download_unknown_size` option; defaults to `false`
|
||||||
|
|
||||||
## Changed
|
## Changed
|
||||||
- `Pleroma.Upload, :base_url` now MUST be configured explicitly;
|
- `Pleroma.Upload, :base_url` now MUST be configured explicitly if used;
|
||||||
use of the same domain as the instance is **strongly** discouraged
|
use of the same domain as the instance is **strongly** discouraged
|
||||||
|
- `:media_proxy, :base_url` now MUST be configured explicitly if used;
|
||||||
|
use of the same domain as the instance is **strongly** discouraged
|
||||||
|
- StealEmoji:
|
||||||
|
- now uses the pack.json format;
|
||||||
|
existing users must migrate with an out-of-band script (check release notes)
|
||||||
|
- only steals shortcodes recognised as valid
|
||||||
|
- URLs of stolen emoji is no longer predictable
|
||||||
- The `Dedupe` upload filter is now always active;
|
- The `Dedupe` upload filter is now always active;
|
||||||
`AnonymizeFilenames` is again opt-in
|
`AnonymizeFilenames` is again opt-in
|
||||||
|
- received AP data is sanity checked before we attempt to parse it as a user
|
||||||
|
- Uploads, emoji and media proxy now restrict Content-Type headers to a safe subset
|
||||||
|
- Akkoma will no longer fetch and parse objects hosted on the same domain
|
||||||
|
|
||||||
## Fixed
|
## Fixed
|
||||||
- Critical security issue allowing Akkoma to be used as a vector for
|
- Critical security issue allowing Akkoma to be used as a vector for
|
||||||
(depending on configuration) impersonation of other users or creation
|
(depending on configuration) impersonation of other users or creation
|
||||||
of bogus users and posts on the upload domain
|
of bogus users and posts on the upload domain
|
||||||
|
- Critical security issue letting Akkoma fall for the above impersonation
|
||||||
|
payloads due to lack of strict id checking
|
||||||
|
- Critical security issue allowing domains redirect to to pose as the initial domain
|
||||||
|
(e.g. with media proxy's fallback redirects)
|
||||||
|
- refetched objects can no longer attribute themselves to third-party actors
|
||||||
|
(this had no externally visible effect since actor info is read from the Create activity)
|
||||||
|
- our litepub JSON-LD schema is now served with the correct content type
|
||||||
|
- remote APNG attachments are now recognised as images
|
||||||
|
|
||||||
## 2024.02
|
## 2024.02
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue