forked from YokaiRick/akkoma
Merge branch 'fix/2087-metadata' into 'develop'
Fix/2087 metadata See merge request pleroma/secteam/pleroma!11
This commit is contained in:
parent
74d46a1b09
commit
13e606941c
9 changed files with 78 additions and 8 deletions
11
CHANGELOG.md
11
CHANGELOG.md
|
@ -5,6 +5,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
|
||||
## unreleased-patch - ???
|
||||
|
||||
### Security
|
||||
- Fix metadata leak for accounts and statuses on private instances
|
||||
|
||||
### Changed
|
||||
|
||||
- **Breaking:** The metadata providers RelMe and Feed are no longer configurable. RelMe should always be activated and Feed only provides a <link> header tag for the actual RSS/Atom feed when the instance is public.
|
||||
|
||||
### Added
|
||||
|
||||
- Rich media failure tracking (along with `:failure_backoff` option)
|
||||
|
||||
### Fixed
|
||||
- Mastodon API: Search parameter `following` now correctly returns the followings rather than the followers
|
||||
|
||||
|
|
|
@ -453,9 +453,7 @@
|
|||
config :pleroma, Pleroma.Web.Metadata,
|
||||
providers: [
|
||||
Pleroma.Web.Metadata.Providers.OpenGraph,
|
||||
Pleroma.Web.Metadata.Providers.TwitterCard,
|
||||
Pleroma.Web.Metadata.Providers.RelMe,
|
||||
Pleroma.Web.Metadata.Providers.Feed
|
||||
Pleroma.Web.Metadata.Providers.TwitterCard
|
||||
],
|
||||
unfurl_nsfw: false
|
||||
|
||||
|
|
|
@ -352,8 +352,6 @@ config :pleroma, Pleroma.Web.MediaProxy.Invalidation.Http,
|
|||
* `providers`: a list of metadata providers to enable. Providers available:
|
||||
* `Pleroma.Web.Metadata.Providers.OpenGraph`
|
||||
* `Pleroma.Web.Metadata.Providers.TwitterCard`
|
||||
* `Pleroma.Web.Metadata.Providers.RelMe` - add links from user bio with rel=me into the `<header>` as `<link rel=me>`.
|
||||
* `Pleroma.Web.Metadata.Providers.Feed` - add a link to a user's Atom feed into the `<header>` as `<link rel=alternate>`.
|
||||
* `unfurl_nsfw`: If set to `true` nsfw attachments will be shown in previews.
|
||||
|
||||
### :rich_media (consumer)
|
||||
|
|
|
@ -9,7 +9,15 @@ defmodule Pleroma.Web.Feed.TagController do
|
|||
alias Pleroma.Web.ActivityPub.ActivityPub
|
||||
alias Pleroma.Web.Feed.FeedView
|
||||
|
||||
def feed(conn, %{"tag" => raw_tag} = params) do
|
||||
def feed(conn, params) do
|
||||
unless Pleroma.Config.restrict_unauthenticated_access?(:activities, :local) do
|
||||
render_feed(conn, params)
|
||||
else
|
||||
render_error(conn, :not_found, "Not found")
|
||||
end
|
||||
end
|
||||
|
||||
def render_feed(conn, %{"tag" => raw_tag} = params) do
|
||||
{format, tag} = parse_tag(raw_tag)
|
||||
|
||||
activities =
|
||||
|
|
|
@ -37,7 +37,15 @@ def feed_redirect(conn, %{"nickname" => nickname}) do
|
|||
end
|
||||
end
|
||||
|
||||
def feed(conn, %{"nickname" => nickname} = params) do
|
||||
def feed(conn, params) do
|
||||
unless Pleroma.Config.restrict_unauthenticated_access?(:profiles, :local) do
|
||||
render_feed(conn, params)
|
||||
else
|
||||
errors(conn, {:error, :not_found})
|
||||
end
|
||||
end
|
||||
|
||||
def render_feed(conn, %{"nickname" => nickname} = params) do
|
||||
format = get_format(conn)
|
||||
|
||||
format =
|
||||
|
|
|
@ -7,8 +7,9 @@ defmodule Pleroma.Web.Metadata do
|
|||
|
||||
def build_tags(params) do
|
||||
providers = [
|
||||
Pleroma.Web.Metadata.Providers.RelMe,
|
||||
Pleroma.Web.Metadata.Providers.RestrictIndexing
|
||||
| Pleroma.Config.get([__MODULE__, :providers], [])
|
||||
| activated_providers()
|
||||
]
|
||||
|
||||
Enum.reduce(providers, "", fn parser, acc ->
|
||||
|
@ -42,4 +43,12 @@ def activity_nsfw?(%{data: %{"sensitive" => sensitive}}) do
|
|||
def activity_nsfw?(_) do
|
||||
false
|
||||
end
|
||||
|
||||
defp activated_providers do
|
||||
unless Pleroma.Config.restrict_unauthenticated_access?(:activities, :local) do
|
||||
[Pleroma.Web.Metadata.Providers.Feed | Pleroma.Config.get([__MODULE__, :providers], [])]
|
||||
else
|
||||
[]
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -181,4 +181,17 @@ test "gets a feed (RSS)", %{conn: conn} do
|
|||
'yeah #PleromaArt'
|
||||
]
|
||||
end
|
||||
|
||||
describe "private instance" do
|
||||
setup do: clear_config([:instance, :public])
|
||||
|
||||
test "returns 404 for tags feed", %{conn: conn} do
|
||||
Config.put([:instance, :public], false)
|
||||
|
||||
conn
|
||||
|> put_req_header("accept", "application/rss+xml")
|
||||
|> get(tag_feed_path(conn, :feed, "pleromaart"))
|
||||
|> response(404)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -246,4 +246,20 @@ test "with non-html / non-json format, it returns error when user is not found",
|
|||
assert response == ~S({"error":"Not found"})
|
||||
end
|
||||
end
|
||||
|
||||
describe "private instance" do
|
||||
setup do: clear_config([:instance, :public])
|
||||
|
||||
test "returns 404 for user feed", %{conn: conn} do
|
||||
Config.put([:instance, :public], false)
|
||||
user = insert(:user)
|
||||
|
||||
{:ok, _} = CommonAPI.post(user, %{status: "test"})
|
||||
|
||||
assert conn
|
||||
|> put_req_header("accept", "application/atom+xml")
|
||||
|> get(user_feed_path(conn, :feed, user.nickname))
|
||||
|> response(404)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -22,4 +22,13 @@ test "for local user" do
|
|||
"<meta content=\"noindex, noarchive\" name=\"robots\">"
|
||||
end
|
||||
end
|
||||
|
||||
describe "no metadata for private instances" do
|
||||
test "for local user" do
|
||||
clear_config([:instance, :public], false)
|
||||
user = insert(:user, bio: "This is my secret fedi account bio")
|
||||
|
||||
assert "" = Pleroma.Web.Metadata.build_tags(%{user: user})
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue