MediaProxy omits inline imaged without explicit scheme #900

New issue

Closed

opened 2025-04-09 19:14:09 +00:00 by Oneric · 0 comments

Oneric commented 2025-04-09 19:14:09 +00:00

Owner

Copy link

Your setup

From source

Version

3.15.1-1 (522a168a)

What is wrong?

Inline images without an explicit URL scheme will not be proxied even with media proxy enabled.
If media proxy was enabled with the goal of improving the anonymity of local users, the resulting IP leak is undesireable.

Example: https://cofe.rocks/notice/AsvC1Xh4OJQB7z3AcC

"content": "'let&#39;s see if this works\n<br/><br/>\n<img src="//uploads.cofe.rocks/a.png"/>'"

This is probably a consequence of #860 although I’m not sure if it was proxied successfully before or just errored out (if the redirect_on_failure default value was explicitly overriden to true, it would have leaked the IP even before, but in the default config this shouldn’t have happened previously)

Possible fix

without explicit scheme just assume HTTPS and attempt proxying

Severity

I cannot use it as easily as I'd like

Have you searched for this issue?

• I have double-checked and have not found this issue mentioned anywhere.

### Your setup From source ### Version 3.15.1-1 (522a168a) ### What is wrong? Inline images without an explicit URL scheme will not be proxied even with media proxy enabled. If media proxy was enabled with the goal of improving the anonymity of local users, the resulting IP leak is undesireable. Example: https://cofe.rocks/notice/AsvC1Xh4OJQB7z3AcC ```json "content": "'let&#39;s see if this works\n<br/><br/>\n<img src="//uploads.cofe.rocks/a.png"/>'" ``` This is probably a consequence of https://akkoma.dev/AkkomaGang/akkoma/pulls/860 although I’m not sure if it was proxied successfully before or just errored out *(if the `redirect_on_failure` default value was explicitly overriden to `true`, it would have leaked the IP even before, but in the default config this shouldn’t have happened previously)* ### Possible fix without explicit scheme just assume HTTPS and attempt proxying ### Severity I cannot use it as easily as I'd like ### Have you searched for this issue? - [x] I have double-checked and have not found this issue mentioned anywhere.

Oneric added the

bug

label 2025-04-09 19:14:09 +00:00

Oneric referenced this issue 2025-04-09 19:17:39 +00:00

Only proxy HTTP and HTTP urls via Media Proxy #860

Oneric referenced this issue from a commit 2025-04-17 23:47:08 +00:00

mediaproxy: proxy network-path references

Oneric referenced this issue from a commit 2025-04-17 23:50:39 +00:00

mediaproxy: proxy network-path references

Oneric referenced this issue 2025-04-17 23:51:38 +00:00

mediaproxy: proxy network-path references #903

Oneric closed this issue 2025-05-09 20:13:58 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

backfill-expiry

stable

db-prune-beastmode-level-aggression

better-stats

translations

customizable-docker-db

static-adminfe

bad-uploader-config-warning

docker

user-expiry-backfill

config-db-keys

ensure-scrubbers-loaded

otp26

code-shaking-does-not-go-brr

elixir1.15

circleci

backup-fixes

mod-task

policy

mrf-coolness

frontend-switcher-9000

contentMap

language-on-posts

rabbit

credo-on-pr

unify-http

normalise-markup-by-default

buildx

v3.15.2

v3.15.1

v3.15.0

v3.14.1

v3.14.0

v2.8.0

v2.7.1

v3.13.3

v2.7.0

v3.13.2

v2.6.3

v3.13.1

v3.13.0

snac-3.12.1.2

v3.12.2

snac-3.12.1.1

v3.12.1

v3.12.0

v3.11.0

v2.6.2

v2.6.1

2.6.1

v2.6.0

v2.5.5

v3.10.4

v3.10.3

v3.10.2

v3.10.1

v3.10.0

v2.5.4

v2.5.3

v3.9.3

v3.9.2

v3.9.1

V3.9.0

2023.05

v3.8.0

v3.7.1

v3.7.0

v3.6.0

v3.5.0

v2.4.5

v3.4.0

v3.3.1

v2.4.4

v3.3.0

v3.2.3

v3.2.2

v3.2.1

stable-202209

v3.2.0

v3.1.0

stable-2022.07

v3.0.0

v0.0.1

v2.5.2-6

v2.5.2-5

v2.5.2-4

v2.5.2-3

v2.5.2-2

v2.5.2-1

v2.5.2

v2.5.1

v2.5.0-8

v2.5.0-7

v2.5.0-6

v2.5.0-5

v2.5.0-4

v2.5.0-3

v2.5.0-2

v2.5.0-1

v2.5.0

v2.4.3

pre-rebase

v2.4.2

v2.4.1

v2.4.0

soapbox-v1.1.1

soapbox-v1.1.0

soapbox-v1.0.0

v2.3.0

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.1.9

v1.1.8

v1.1.7

v1.1.6

v1.1.5

v1.1.4

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.91

v1.0.90

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

v0.9.0

Labels

Clear labels   

approved, awaiting change

  

bug

Something is not working

  

configuration

This requires config changes

  

documentation

This is about human-readable docs

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

extremely low priority

  

feature request

Something new?

  

Fix it yourself

Support has been attempted

  

help wanted

Need some help

  

invalid

Something is wrong

  

mastodon_api

  

needs change/feedback

Issue or PR is stalled on response from the author or a third party

  

needs docs

  

needs tests

  

not a bug

  

planned

  

pleroma_api

  

privacy

  

question

More information is needed

  

static_fe

  

triage

  

wontfix

This won't be fixed

No labels

approved, awaiting change

bug

configuration

documentation

duplicate

enhancement

extremely low priority

feature request

Fix it yourself

help wanted

invalid

mastodon_api

needs change/feedback

needs docs

needs tests

not a bug

planned

pleroma_api

privacy

question

static_fe

triage

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#900

No description provided.