akkoma/changelog.d
Mark Felder 2c79509453 Resolve information disclosure vulnerability through emoji pack archive download endpoint
The pack name has been sanitized so an attacker cannot upload a media
file called pack.json with their own handcrafted list of emoji files as
arbitrary files on the filesystem and then call the emoji pack archive
download endpoint with a pack name crafted to the location of the media
file they uploaded which tricks Pleroma into generating a zip file of
the target files the attacker wants to download.

The attack only works if the Pleroma instance does not have the
AnonymizeFilename upload filter enabled, which is currently the default.

Reported by: graf@poast.org
2023-08-04 08:40:27 +02:00
..
2023-06-deps-update.skip mix: 2023-06 deps update 2023-06-27 02:38:31 +02:00
3126.fix Merge branch 'issue/3126' into 'develop' 2023-05-26 19:24:08 +02:00
3739.skip Allow to explicitly skip changelog 2022-08-28 09:57:32 -04:00
3801.fix add changelog entry 2023-07-28 18:49:05 +05:00
3831.skip mix: bump gettext to ~0.20 2023-06-02 03:06:32 +02:00
3848.add Add changelog 2023-05-02 16:33:53 -04:00
3870.skip Skip changelog entry 2023-04-12 12:40:26 -04:00
3872.remove add changelog entry for BBS/SSH feature remove 2023-04-23 10:58:50 +02:00
3873.fix UploadedMedia: Add missing disposition_type to Content-Disposition 2023-04-18 00:09:19 +02:00
3874.remove Update changelog 2023-06-11 16:22:03 +04:00
3876.skip Add changelog for 3876 2023-04-25 21:40:28 -04:00
3877.skip Skip changelog entry for 3877 2023-04-26 07:20:35 -04:00
3878.skip Do not use needs: in pipeline yaml 2023-04-26 09:14:49 -04:00
3880.remove Add changelog for !3880 2023-05-05 11:13:50 +02:00
3882.add Allow lang attribute 2023-05-09 19:27:32 -04:00
3883.fix Merge branch 'tusooa/rework-refetch' into 'develop' 2023-05-26 19:24:08 +02:00
3884.fix CommonFields: Use BareUri for :url 2023-05-17 17:25:46 +02:00
3885.fix changelog entry 2023-05-29 02:52:49 +05:00
3888.fix ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts 2023-05-26 12:30:19 -04:00
3891.fix Filter OEmbed HTML tags 2023-05-26 19:56:36 +02:00
3893.skip Merge branch 'release/2.5.2' into mergeback/2.5.2 2023-05-26 23:47:50 +02:00
3897.add Add OnlyMedia Upload Filter to simplify restricting uploads to audio, image, and video types 2023-05-29 15:49:04 -04:00
3899.skip Use Phoenix.ConnTest.redirected_to/2 2023-05-31 09:54:37 -04:00
3901.security Add changelog. 2023-06-02 17:09:58 +04:00
3902.skip changelog.d 2023-06-07 09:25:57 -04:00
3909.skip Merge Revert "Merge branch 'validate-host' into 'develop'" 2023-06-22 21:28:25 +02:00
amd64-runner.skip Force the use of amd64 runners for jobs using ci-base 2023-07-01 23:25:04 -04:00
attachment-type-check.fix Restrict attachments to only uploaded files only 2023-07-18 18:39:59 -04:00
changelog-improve.skip Skip changelog 2023-04-22 20:45:27 -04:00
delete-status-of-banned-user.fix Fix deleting banned users' statuses 2023-05-25 19:00:38 -04:00
deprecate-scrobbles.remove Deprecate audio scrobbling 2023-07-04 03:40:11 +02:00
distro-docs-elixir-1.11.skip installation/debian_based_jp: Elixir 1.11 means Debian 12+ and Ubuntu 22.04+ 2023-05-31 08:32:58 +02:00
emoji-pack-sanitization.security Resolve information disclosure vulnerability through emoji pack archive download endpoint 2023-08-04 08:40:27 +02:00
emoji-policy.add Add changelog 2023-07-07 06:58:32 -04:00
featured-collection-shouldnt-break-user-fetch.fix Fix user fetch completely broken if featured collection is not in a supported form 2023-07-02 11:03:09 -04:00
fix-object-test.fix Merge branch 'tusooa/fix-object-test' into 'develop' 2023-05-26 19:24:08 +02:00
gentoo_otp.skip changelog.d/gentoo_otp.skip: Doc-only MR 2023-06-13 16:05:37 +02:00
gentoo_otp_hotfix.skip docs: Fix broken links 2023-07-04 04:23:48 +02:00
handle-report-from-deactivated-user.fix Fix handling report from a deactivated user 2023-07-02 11:15:34 -04:00
media-altdomain.skip Add changelog 2023-05-26 17:28:41 -04:00
no_new_privs.add Add no_new_privs to OpenRC service files 2023-06-13 12:47:02 +02:00
pipeline-triggers.skip CI: Use CI_JOB_TOKEN for cross-repo pipeline triggers 2023-07-04 03:25:37 +02:00
prevent-bypassing-authorized-fetch-mode.fix Add changelog entry 2023-06-21 23:13:16 -06:00
testfix-system-config-use.skip release_runtime_provider_test: Explicitely use non-existant config file 2023-06-27 00:20:29 +02:00
update-credentials-limit-error.fix Show more informative errors when profile exceeds char limits 2023-05-25 08:22:33 -04:00