sliver/akkoma
1
0
Fork 0
forked from AkkomaGang/akkoma
Code Pull requests Projects Activity

ForForkMerge #2

Merged
sliver merged 185 commits from ForForkMerge into stable 2024-03-31 06:59:36 +00:00
Conversation 0 Commits 185 Files changed 196 +45 -3
4 changed files with 45 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit f7c9793542 - Show all commits

11
CHANGELOG.md
View file

@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## Unreleased
## Added
## Changed
## Fixed
- Critical security issue allowing Akkoma to be used as a vector for
(depending on configuration) impersonation of other users or creation
of bogus users and posts on the upload domain
## 2024.02 ## 2024.02
## Added ## Added

3
config/config.exs
View file

@ -65,7 +65,8 @@
link_name: false, link_name: false,
proxy_remote: false, proxy_remote: false,
filename_display_max_length: 30, filename_display_max_length: 30,
base_url: nil base_url: nil,
allowed_mime_types: ["image", "audio", "video"]
config :pleroma, Pleroma.Uploaders.Local, uploads: "uploads" config :pleroma, Pleroma.Uploaders.Local, uploads: "uploads"

13
config/description.exs
View file

@ -105,6 +105,19 @@
"https://cdn-host.com" "https://cdn-host.com"
] ]
}, },
%{
key: :allowed_mime_types,
label: "Allowed MIME types",
type: {:list, :string},
description:
"List of MIME (main) types uploads are allowed to identify themselves with. Other types may still be uploaded, but will identify as a generic binary to clients. WARNING: Loosening this over the defaults can lead to security issues. Removing types is safe, but only add to the list if you are sure you know what you are doing.",
suggestions: [
"image",
"audio",
"video",
"font"
]
},
%{ %{
key: :proxy_remote, key: :proxy_remote,
type: :boolean, type: :boolean,

21
lib/pleroma/web/plugs/uploaded_media.ex
View file

@ -28,7 +28,9 @@ def init(_opts) do
|> Keyword.put(:at, "/__unconfigured_media_plug") |> Keyword.put(:at, "/__unconfigured_media_plug")
|> Plug.Static.init() |> Plug.Static.init()
%{static_plug_opts: static_plug_opts} allowed_mime_types = Pleroma.Config.get([Pleroma.Upload, :allowed_mime_types])
%{static_plug_opts: static_plug_opts, allowed_mime_types: allowed_mime_types}
end end
def call(%{request_path: <<"/", @path, "/", file::binary>>} = conn, opts) do def call(%{request_path: <<"/", @path, "/", file::binary>>} = conn, opts) do
@ -68,13 +70,28 @@ defp media_is_banned(_, {:url, url}), do: MediaProxy.in_banned_urls(url)
defp media_is_banned(_, _), do: false defp media_is_banned(_, _), do: false
defp get_safe_mime_type(%{allowed_mime_types: allowed_mime_types} = _opts, mime) do
[maintype | _] = String.split(mime, "/", parts: 2)
if maintype in allowed_mime_types, do: mime, else: "application/octet-stream"
end
defp set_content_type(conn, opts, filepath) do
real_mime = MIME.from_path(filepath)
clean_mime = get_safe_mime_type(opts, real_mime)
put_resp_header(conn, "content-type", clean_mime)
end
defp get_media(conn, {:static_dir, directory}, opts) do defp get_media(conn, {:static_dir, directory}, opts) do
static_opts = static_opts =
Map.get(opts, :static_plug_opts) Map.get(opts, :static_plug_opts)
|> Map.put(:at, [@path]) |> Map.put(:at, [@path])
|> Map.put(:from, directory) |> Map.put(:from, directory)
|> Map.put(:set_content_type, false)
conn = Plug.Static.call(conn, static_opts) conn =
conn
|> set_content_type(opts, conn.request_path)
|> Pleroma.Web.Plugs.StaticNoCT.call(static_opts)
if conn.halted do if conn.halted do
conn conn