Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge develop 2023-08-08 #197

Merged
merged 22 commits into from
Aug 8, 2023
Merged

Merge develop 2023-08-08 #197

merged 22 commits into from
Aug 8, 2023

Conversation

kphrx
Copy link
Owner

@kphrx kphrx commented Aug 8, 2023

No description provided.

tusooa and others added 22 commits July 18, 2023 18:39
Restrict attachments to only uploaded files only
ea4225a
@faried
status context: perform visibility check on activities around a status
dc4de79 
issue #2927
@faried
cleaner ecto query to handle restrict_unauthenticated for activities
e5e76ec 
This fix is for this case:

  config :pleroma, :restrict_unauthenticated,
    activities: %{local: true, remote: true}
@faried
add changelog entry
11ce81d
Merge branch 'fix/2927-disallow-unauthenticated-access' into 'develop'
b08cbe7 
/api/v1/statuses/:id/context: filter context activities using Visibility.visible_for_user?/2

See merge request pleroma/pleroma!3801
Merge branch 'tusooa/3154-attachment-type-check' into 'develop'
819fccb 
Restrict attachments to only uploaded files only

Closes #3154

See merge request pleroma/pleroma!3923
@feld @lanodan
Resolve information disclosure vulnerability through emoji pack archi…
2c79509 
…ve download endpoint

The pack name has been sanitized so an attacker cannot upload a media
file called pack.json with their own handcrafted list of emoji files as
arbitrary files on the filesystem and then call the emoji pack archive
download endpoint with a pack name crafted to the location of the media
file they uploaded which tricks Pleroma into generating a zip file of
the target files the attacker wants to download.

The attack only works if the Pleroma instance does not have the
AnonymizeFilename upload filter enabled, which is currently the default.

Reported by: graf@poast.org
@lanodan
Config: Restrict permissions of OTP config file
8cc8100
@lanodan
instance gen: Reduce permissions of pleroma directories and config files
69caedc
@lanodan
changelog: Entry for config permissions restrictions
9f0ad90 
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3135
@lanodan
release_runtime_provider_test: chmod config for hardened permissions
65ef8f1 
Git doesn't manages file permissions precisely enough for us.
@lanodan
Release 2.5.53
6a0fd77
Merge branch 'mergeback/2.5.3' into 'develop'
1062185 
Mergeback: 2.5.3

Closes #3135

See merge request pleroma/pleroma!3927
@lanodan
gentoo_otp_en.md: Indicate which install method it covers
0e32169
@feld
Prevent XML parser from loading external entities
ca0859b
@FloatingGhost @lanodan
Add unit test for external entity loading
307692c
@feld @lanodan
Document and test that XXE processing is disabled
6d48b0f 
https://vuln.be/post/xxe-in-erlang-and-elixir/
@lanodan
Mergeback release 2.5.4
4099ddb
Merge branch 'mergeback/2.5.4' into 'develop'
d0f7a5c 
Mergeback: 2.5.4

See merge request pleroma/pleroma!3930
Merge branch 'docs/gentoo-otp-intro' into 'develop'
17c336d 
gentoo_otp_en.md: Indicate which install method it covers

See merge request pleroma/pleroma!3928
@MaeIsBad
Completely disable xml entity resolution
48b1e9b
Merge branch 'disable-xml-entities-completely' into 'develop'
4e355b8 
Completely disable xml entity resolution

See merge request pleroma/pleroma!3932
@kphrx kphrx merged commit 6c57967 into pl.kpherox.dev Aug 8, 2023
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@kphrx @faried @feld @lanodan @FloatingGhost @MaeIsBad