a95af3ee4c
exiftool: strip all non-essential tags
...
Documentation was already clear on this only stripping GPS tags.
But there are more potentially sensitive metadata tags (e.g. author
and possibly description) and the name alone suggests a broader effect.
Thus change the filter to strip all metadata except for colourspace info
and orientation (technically it strips everything and then readds
selected tags).
Explicitly stripping CommonIFD0 is needed since -all does not modify
IFD0 due to TIFF storing some actual image data there. CommonIFD0 then
strips a bunch of commonly used actual metadata tags from IFD0, to my
understanding leaving TIFF image data and custom metadata tags intact.
2024-04-25 23:00:42 +02:00
24e608ab5b
docs: fix typo
2024-04-25 23:00:42 +02:00
b1c6621e66
Merge pull request 'Read image description from EXIF data' ( #744 ) from timorl/akkoma:elseinspe into develop
...
ci/woodpecker/push/build-amd64 Pipeline is pending
ci/woodpecker/push/build-arm64 Pipeline is pending
ci/woodpecker/push/docs Pipeline is pending
ci/woodpecker/push/lint Pipeline is pending
ci/woodpecker/push/test Pipeline is pending
Reviewed-on: #744
2024-04-25 12:52:31 +00:00
0fa3fbf55e
Update OTP install docs to use certbot nginx plugin
ci/woodpecker/pr/build-amd64 Pipeline is pending
ci/woodpecker/pr/build-arm64 Pipeline is pending
ci/woodpecker/pr/docs Pipeline is pending
ci/woodpecker/pr/lint Pipeline is pending
ci/woodpecker/pr/test Pipeline is pending
2024-04-23 00:02:54 -04:00
e5f4282cca
Update certbot instructions for Alpine Linux
2024-04-23 00:02:54 -04:00
cdde95ad8b
Update gentoo install guide to use certbot-nginx
2024-04-23 00:02:54 -04:00
c493769364
Update Nginx setup docs for Fedora and Red Hat OTP
2024-04-23 00:02:15 -04:00
39b8e73532
Update docs for Arch Linux nginx setup
...
Alongside moving to certbot's nginx plugin, also use conf.d instead of
recreating the sites-{available,enabled} setup that Debian/Ubuntu uses.
Furthermore, also request a certificate for the media domain at the same
time since that's now required.
2024-04-21 18:19:07 -04:00
5405828ab1
Update debian install docs to use certbot nginx plugin
2024-04-21 18:19:07 -04:00
timorl
cd7af81896
Rename StripLocation to StripMetadata for temporal-proofing reasons
ci/woodpecker/pr/build-amd64 Pipeline is pending
ci/woodpecker/pr/build-arm64 Pipeline is pending
ci/woodpecker/pr/docs Pipeline is pending
ci/woodpecker/pr/lint Pipeline is pending
ci/woodpecker/pr/test Pipeline is pending
2024-04-16 20:37:00 +02:00
timorl
b144218dce
Merge branch 'develop' into elseinspe
ci/woodpecker/pr/lint Pipeline failed
ci/woodpecker/pr/test unknown status
ci/woodpecker/pr/build-arm64 unknown status
ci/woodpecker/pr/build-amd64 unknown status
ci/woodpecker/pr/docs unknown status
2024-04-14 20:31:33 +02:00
e36c0f96fc
Merge pull request 'Add docker override file to docs and gitignore' ( #621 ) from norm/akkoma:docker-compose-override into develop
...
ci/woodpecker/push/build-amd64 Pipeline is pending
ci/woodpecker/push/build-arm64 Pipeline is pending
ci/woodpecker/push/docs Pipeline is pending
ci/woodpecker/push/lint Pipeline is pending
ci/woodpecker/push/test Pipeline is pending
Reviewed-on: #621
2024-04-12 18:50:25 +00:00
d910e8d7d1
Add test suite for elixir1.16
ci/woodpecker/push/lint Pipeline was successful
ci/woodpecker/push/test Pipeline was successful
ci/woodpecker/push/build-amd64 Pipeline was successful
ci/woodpecker/push/build-arm64 Pipeline was successful
ci/woodpecker/push/docs Pipeline was successful
ci/woodpecker/pr/lint Pipeline was successful
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/build-arm64 unknown status
ci/woodpecker/pr/build-amd64 unknown status
ci/woodpecker/pr/docs unknown status
2024-04-12 19:13:33 +01:00
61621ebdbc
Add tests for extra warnings about media subdomains
2024-04-02 10:54:53 +01:00
0648d9ebaa
Add mix tasks to detect spoofed posts and users
...
At least as far as we can
2024-03-26 16:05:20 -01:00
d441101200
Add mix task to detect uploaded spoof payloads
2024-03-26 16:05:20 -01:00
d6d838cbe8
StealEmoji: check remote size before downloading
...
To save on bandwith and avoid OOMs with large files.
Ofc, this relies on the remote server
(a) sending a content-length header and
(b) being honest about the size.
Common fedi servers seem to provide the header and (b) at least raises
the required privilege of an malicious actor to a server infrastructure
admin of an explicitly allowed host.
A more complete defense which still works when faced with
a malicious server requires changes in upstream Finch;
see https://github.com/sneako/finch/issues/224
2024-03-18 22:33:10 -01:00
fb54c47f0b
Update example nginx config
...
To account for our subdomain recommendations
2024-03-18 22:33:10 -01:00
fc36b04016
Drop media proxy same-domain default for base_url
...
Even more than with user uploads, a same-domain proxy setup bears
significant security risks due to serving untrusted content under
the main domain space.
A risky setup like that should never be the default.
2024-03-18 22:33:10 -01:00
0ec62acb9d
Always insert Dedupe upload filter
...
This actually was already intended before to eradict all future
path-traversal-style exploits and to fix issues with some
characters like akkoma#610 in 0b2ec0ccee
. However, Dedupe and
AnonymizeFilename got mixed up. The latter only anonymises the name
in Content-Disposition headers GET parameters (with link_name),
_not_ the upload path.
Even without Dedupe, the upload path is prefixed by an UUID,
so it _should_ already be hard to guess for attackers. But now
we actually can be sure no path shenanigangs occur, uploads
reliably work and save some disk space.
While this makes the final path predictable, this prediction is
not exploitable. Insertion of a back-reference to the upload
itself requires pulling off a successfull preimage attack against
SHA-256, which is deemed infeasible for the foreseeable futures.
Dedupe was already included in the default list in config.exs
since 28cfb2c37a
, but this will get overridde by whatever the
config generated by the "pleroma.instance gen" task chose.
Upload+delete tests running in parallel using Dedupe might be flaky, but
this was already true before and needs its own commit to fix eventually.
2024-03-18 22:33:10 -01:00
fef773ca35
Drop media base_url default and recommend different domain
...
Same-domain setups enabled now at least two exploits,
so they ought to be discouraged and definitely not be the default.
2024-03-18 22:33:10 -01:00
cdf73e0ac8
Merge pull request 'Better document database differences for Pleroma migrations' ( #699 ) from Oneric/akkoma:doc_pleroma-migration-db into develop
...
ci/woodpecker/push/build-amd64 Pipeline is pending
ci/woodpecker/push/build-arm64 Pipeline is pending
ci/woodpecker/push/docs Pipeline is pending
ci/woodpecker/push/lint Pipeline is pending
ci/woodpecker/push/test Pipeline is pending
Reviewed-on: #699
2024-02-24 04:33:43 +00:00
967e6b8ade
Merge pull request 'Docs: Add description for mrf_reject_newly_created_account_notes' ( #695 ) from YokaiRick/akkoma:doc_mrf_reject_acc_notes into develop
...
ci/woodpecker/push/build-amd64 Pipeline is pending
ci/woodpecker/push/build-arm64 Pipeline is pending
ci/woodpecker/push/docs Pipeline is pending
ci/woodpecker/push/lint Pipeline is pending
ci/woodpecker/push/test Pipeline is pending
Reviewed-on: #695
2024-02-24 04:31:28 +00:00
bff2812a93
More prominently document db migrations in migrations from Pleroma
...
ci/woodpecker/pr/build-amd64 Pipeline is pending
ci/woodpecker/pr/build-arm64 Pipeline is pending
ci/woodpecker/pr/docs Pipeline is pending
ci/woodpecker/pr/lint Pipeline is pending
ci/woodpecker/pr/test Pipeline is pending
By now most instance will run a version past 2022-08 but the guide
only documented it for from source installs and Pleroma develop.
2024-02-23 23:54:14 +01:00
7964272c98
Document how to avoid data loss on migration from Pleroma
2024-02-23 23:54:09 +01:00
c25cfe9b7a
fixed spelling
ci/woodpecker/pr/lint Pipeline was successful
ci/woodpecker/pr/test Pipeline failed
ci/woodpecker/pr/build-arm64 unknown status
ci/woodpecker/pr/build-amd64 unknown status
ci/woodpecker/pr/docs unknown status
2024-02-19 23:25:20 +01:00
41dd37d796
doc/cheatsheet: add missing MRFs
...
ci/woodpecker/pr/build-amd64 Pipeline is pending
ci/woodpecker/pr/build-arm64 Pipeline is pending
ci/woodpecker/pr/docs Pipeline is pending
ci/woodpecker/pr/lint Pipeline is pending
ci/woodpecker/pr/test Pipeline is pending
Or mentions of MRFs in the main list
whose options were already documented.
2024-02-19 23:15:47 +01:00
9830d54fa1
doc/cheatsheet: sort main MRF list alphabetically
...
It is too cumbersome to find a specific policy atm
or to check if all are docuemtned yet.
Trivial placeholder policies are excluded from this.
2024-02-19 23:15:30 +01:00
f254e4f530
doc/cheatsheet: add missing MRF config detail docs
...
And remove “on by default” text from individual entries.
They are now laready in the “on by default” section.
2024-02-19 23:14:44 +01:00
da4190c46e
doc/cheatsheet: split out always active MRFs
...
It doesn’t make sense to add/remove them from the policies list
2024-02-19 23:14:24 +01:00
7a2d68c3ab
doc/cheatsheet: add link to ActivityExpiration config details
2024-02-19 23:14:07 +01:00
8e7a89605d
doc/cheatsheet: move MRF policies key to end of section
...
This makes it easier to spot the transparency options
2024-02-19 23:13:48 +01:00
1640d19448
doc/cheatsheet: move :activitypub section ahead
...
Else it is too easy to mistake for another MRF policy.
2024-02-19 23:13:25 +01:00
8f1776a8a7
Purge leftovers from FollowBot MRF
...
It was dropped in 9db4c2429f
2024-02-19 23:13:05 +01:00
1ec6e193e6
doc: clarify RejectNewlyCreated uses local account discovery
2024-02-19 23:12:41 +01:00
b4c832471c
docs/docs/configuration/cheatsheet.md aktualisiert
...
fixed up some grammer / wording. removed a setence and made wording more in line with what I could find in Admin-FE (especially wording of "rejecting" vs. dropping)
2024-02-17 22:09:47 +00:00
db49daa4a5
make it clearer what it affects
ci/woodpecker/pr/build-amd64 Pipeline is pending
ci/woodpecker/pr/build-arm64 Pipeline is pending
ci/woodpecker/pr/docs Pipeline is pending
ci/woodpecker/pr/lint Pipeline is pending
ci/woodpecker/pr/test Pipeline is pending
2024-02-17 22:57:56 +01:00
718104117f
fix link
ci/woodpecker/pr/build-amd64 Pipeline is pending
ci/woodpecker/pr/build-arm64 Pipeline is pending
ci/woodpecker/pr/docs Pipeline is pending
ci/woodpecker/pr/lint Pipeline is pending
ci/woodpecker/pr/test Pipeline is pending
2024-02-17 22:34:55 +01:00
12e7d0a25c
added doc for mrf_reject_newly_created_account_notes
2024-02-17 22:25:12 +01:00
7a0e27a746
Disable busy waits in the default OTP vm.args
configuration.
...
ci/woodpecker/pr/build-amd64 Pipeline is pending
ci/woodpecker/pr/build-arm64 Pipeline is pending
ci/woodpecker/pr/docs Pipeline is pending
ci/woodpecker/pr/lint Pipeline is pending
ci/woodpecker/pr/test Pipeline is pending
This vastly reduces idle CPU usage, which should generally be beneficial
for most small-to-medium sized instances.
Additionally update the documentation to specify how to override the vm.args
file for OTP installs
2024-02-17 13:21:56 +01:00
e99e2407f3
Add background_removal to SimplePolicy MRF
ci/woodpecker/pr/lint Pipeline was successful
ci/woodpecker/pr/test Pipeline failed
ci/woodpecker/pr/build-arm64 unknown status
ci/woodpecker/pr/build-amd64 unknown status
ci/woodpecker/pr/docs unknown status
2024-02-16 16:36:45 +01:00
0ed815b8a1
Merge branch 'followback' into develop
ci/woodpecker/push/build-amd64 Pipeline is pending
ci/woodpecker/push/build-arm64 Pipeline is pending
ci/woodpecker/push/docs Pipeline is pending
ci/woodpecker/push/lint Pipeline is pending
ci/woodpecker/push/test Pipeline is pending
2024-02-16 13:27:40 +00:00
cda597a05c
doc: fix Akkoma identification name
...
ci/woodpecker/pr/build-amd64 Pipeline is pending
ci/woodpecker/pr/build-arm64 Pipeline is pending
ci/woodpecker/pr/docs Pipeline is pending
ci/woodpecker/pr/lint Pipeline is pending
ci/woodpecker/pr/test Pipeline is pending
Akkoma stopped pretending to be Pleroma here when the mix project name
was changed in c07fcdbf2b
.
2024-02-15 16:25:59 +01:00
711043f57d
Document bubble timeline API
...
It was added in cb6e7359af
.
2024-02-15 16:04:33 +01:00
6bb455702d
Document Akkoma API
2024-02-15 16:04:33 +01:00
7493d8f49d
Document live dashboard
2024-02-15 16:04:33 +01:00
376f6b15ca
Add ability to auto-approve followbacks
...
ci/woodpecker/pr/build-amd64 Pipeline is pending
ci/woodpecker/pr/build-arm64 Pipeline is pending
ci/woodpecker/pr/docs Pipeline is pending
ci/woodpecker/pr/lint Pipeline is pending
ci/woodpecker/pr/test Pipeline is pending
Resolves: #148
2024-02-13 15:42:37 +01:00
13e62b4e51
Fix schema and docs for status_ttl_days and instance
...
Fixes misspelling and omission of and example in commit
0cfd5b4e89
which added the
status_ttl_property. This was the only place this commit
referred to the property as note_ttl_days.
Partially fixes the omitted schema update of the instance metadata addition
from commit b7e8ce2350
. A proper full schema
for nodeinfo is still missing.
2024-02-13 15:39:52 +01:00
e97d08ee98
Merge pull request 'MRF transparency: don’t forget to obfuscate short domains' ( #676 ) from Oneric/akkoma:mrf-obfuscation into develop
...
ci/woodpecker/push/build-amd64 Pipeline is pending
ci/woodpecker/push/build-arm64 Pipeline is pending
ci/woodpecker/push/docs Pipeline is pending
ci/woodpecker/push/lint Pipeline is pending
ci/woodpecker/push/test Pipeline is pending
Reviewed-on: #676
2024-02-05 08:43:43 +00:00
3cd882528e
More prominently document MRF transparency and obfuscation
...
ci/woodpecker/pr/lint Pipeline was successful
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/build-amd64 Pipeline was successful
ci/woodpecker/pr/build-arm64 Pipeline was successful
ci/woodpecker/pr/docs Pipeline was successful
And point to the cheat sheet for all other MRF policies
and their configuration details.
2024-02-02 14:50:21 +00:00