forked from AkkomaGang/akkoma
Merge 2024.03 stable with security fixes #11
1 changed files with 21 additions and 1 deletions
22
CHANGELOG.md
22
CHANGELOG.md
|
@ -7,17 +7,37 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
## Unreleased
|
||||
|
||||
## Added
|
||||
- CLI tasks best-effort checking for past abuse of the recent spoofing exploit
|
||||
- new `:mrf_steal_emoji, :download_unknown_size` option; defaults to `false`
|
||||
|
||||
## Changed
|
||||
- `Pleroma.Upload, :base_url` now MUST be configured explicitly;
|
||||
- `Pleroma.Upload, :base_url` now MUST be configured explicitly if used;
|
||||
use of the same domain as the instance is **strongly** discouraged
|
||||
- `:media_proxy, :base_url` now MUST be configured explicitly if used;
|
||||
use of the same domain as the instance is **strongly** discouraged
|
||||
- StealEmoji:
|
||||
- now uses the pack.json format;
|
||||
existing users must migrate with an out-of-band script (check release notes)
|
||||
- only steals shortcodes recognised as valid
|
||||
- URLs of stolen emoji is no longer predictable
|
||||
- The `Dedupe` upload filter is now always active;
|
||||
`AnonymizeFilenames` is again opt-in
|
||||
- received AP data is sanity checked before we attempt to parse it as a user
|
||||
- Uploads, emoji and media proxy now restrict Content-Type headers to a safe subset
|
||||
- Akkoma will no longer fetch and parse objects hosted on the same domain
|
||||
|
||||
## Fixed
|
||||
- Critical security issue allowing Akkoma to be used as a vector for
|
||||
(depending on configuration) impersonation of other users or creation
|
||||
of bogus users and posts on the upload domain
|
||||
- Critical security issue letting Akkoma fall for the above impersonation
|
||||
payloads due to lack of strict id checking
|
||||
- Critical security issue allowing domains redirect to to pose as the initial domain
|
||||
(e.g. with media proxy's fallback redirects)
|
||||
- refetched objects can no longer attribute themselves to third-party actors
|
||||
(this had no externally visible effect since actor info is read from the Create activity)
|
||||
- our litepub JSON-LD schema is now served with the correct content type
|
||||
- remote APNG attachments are now recognised as images
|
||||
|
||||
## 2024.02
|
||||
|
||||
|
|
Loading…
Reference in a new issue