forked from AkkomaGang/akkoma
Merge 2024.03 stable with security fixes #11
fedward
commented 2024-03-30 16:27:26 +00:00
Owner
No description provided.
fedward
added 48 commits 2024-03-30 16:27:27 +00:00
5d467af6c5
Update notes on security exploit handling
dbb6091d01
Import copy of Plug.Static from Plug 1.15.3
7ef93c0b6d
Add set_content_type to Plug.StaticNoCT
f7c9793542
Sanitise Content-Type of uploads
bdefbb8fd9
plug/upload_media: query config only once on init
fef773ca35
Drop media base_url default and recommend different domain
0ec62acb9d
Always insert Dedupe upload filter
ba558c0c24
Limit instance emoji to image types
e88d0a2853
Fix Content-Type of our schema
bcc528b2e2
Never automatically assign privileged content types
11ae8344eb
Sanitise Content-Type of media proxy URLs
fc36b04016
Drop media proxy same-domain default for base_url
fb54c47f0b
Update example nginx config
af041db6dc
Limit emoji stealer to alphanum, dash, or underscore characters
111cdb0d86
Split steal_emoji function for better readability
a8c6c780b4
StealEmoji: use Content-Type and reject non-images
5b126567bb
StealEmoji: drop superfluous basename
fa98b44acf
Fill out path for newly created packs
d1c4d07404
Convert StealEmoji to pack.json
ee5ce87825
test: use pack functions to check for emoji
a4fa2ec9af
StealEmoji: make final paths infeasible to predict
d1ce5fd911
test/steal_emoji: reduce code duplication with mock macro
6d003e1acd
test/steal_emoji: consolidate configuration setup
d6d838cbe8
StealEmoji: check remote size before downloading
ddd79ff22d
Proactively harden emoji pack against path traversal
c806adbfdb
Refactor Fetcher.get_object for readability
93ab6a018e
mix: fix docs task
2bcf633dc2
Document Pleroma.Object.Fetcher
baaeffdebc
Update spoofed activity test
c4cf4d7f0b
Reject cross-domain redirects when fetching AP objects
fee57eb376
Move actor check into fetch_and_contain_remote_object_from_id
59a142e0b0
Never fetch resource from ourselves
f07eb4cb55
Sanity check fetched user data
3e134b07fa
fetcher: return final URL after redirects from get_object
9061d148be
Ensure object id doesn’t change on refetch
48b3a35793
Update user reference after fetch
8684964c5d
Only allow exact id matches
61ec592d66
Drop obsolete pixelfed workaround
31f90bbb52
Register APNG MIME type
d441101200
Add mix task to detect uploaded spoof payloads
0648d9ebaa
Add mix tasks to detect spoofed posts and users
ee7d98b093
Update Changelog
3650bb0370
Changelog entry
14515d8d4a
Merge branch 'develop' into stable
087d88f787
bump version
11c305b64b
Merge branch 'develop' into stable
2d439034ca
Ensure that spoof-inserted does not time out
d71d52302c
Merge branch 'develop' into stable
fedward
merged commit 71fb74d4bb into stable 2024-03-30 16:27:36 +00:00
fedward
referenced this issue from a commit 2024-03-30 16:27:36 +00:00
Merge pull request 'Merge 2024.03 stable with security fixes' (#11) from AkkomaGang/akkoma:stable into stable
Loading…
Reference in New Issue
No description provided.
Delete Branch "AkkomaGang/akkoma:stable"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?