Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge develop 2023-08-08 #197

Merged
merged 22 commits into from
Aug 8, 2023
Merged

Merge develop 2023-08-08 #197

merged 22 commits into from
Aug 8, 2023

Commits on Jul 18, 2023

  1. Restrict attachments to only uploaded files only

    @tusooa
    tusooa committed Jul 18, 2023
    Configuration menu
    Copy the full SHA
    ea4225a View commit details
    Browse the repository at this point in the history

Commits on Jul 28, 2023

  1. status context: perform visibility check on activities around a status 

    issue #2927
    @faried
    faried committed Jul 28, 2023
    Configuration menu
    Copy the full SHA
    dc4de79 View commit details
    Browse the repository at this point in the history

  2. cleaner ecto query to handle restrict_unauthenticated for activities 

    This fix is for this case:

  config :pleroma, :restrict_unauthenticated,
    activities: %{local: true, remote: true}
    @faried
    faried committed Jul 28, 2023
    Configuration menu
    Copy the full SHA
    e5e76ec View commit details
    Browse the repository at this point in the history

  3. add changelog entry

    @faried
    faried committed Jul 28, 2023
    Configuration menu
    Copy the full SHA
    11ce81d View commit details
    Browse the repository at this point in the history

  4. Merge branch 'fix/2927-disallow-unauthenticated-access' into 'develop' 

    /api/v1/statuses/:id/context: filter context activities using Visibility.visible_for_user?/2

See merge request pleroma/pleroma!3801
    @tusooa
    tusooa committed Jul 28, 2023
    Configuration menu
    Copy the full SHA
    b08cbe7 View commit details
    Browse the repository at this point in the history

Commits on Aug 3, 2023

  1. Merge branch 'tusooa/3154-attachment-type-check' into 'develop' 

    Restrict attachments to only uploaded files only

Closes #3154

See merge request pleroma/pleroma!3923
    Haelwenn committed Aug 3, 2023
    Configuration menu
    Copy the full SHA
    819fccb View commit details
    Browse the repository at this point in the history

Commits on Aug 4, 2023

  1. Resolve information disclosure vulnerability through emoji pack archi… 

    …ve download endpoint

The pack name has been sanitized so an attacker cannot upload a media
file called pack.json with their own handcrafted list of emoji files as
arbitrary files on the filesystem and then call the emoji pack archive
download endpoint with a pack name crafted to the location of the media
file they uploaded which tricks Pleroma into generating a zip file of
the target files the attacker wants to download.

The attack only works if the Pleroma instance does not have the
AnonymizeFilename upload filter enabled, which is currently the default.

Reported by: graf@poast.org
    @feld @lanodan
    feld authored and lanodan committed Aug 4, 2023
    Configuration menu
    Copy the full SHA
    2c79509 View commit details
    Browse the repository at this point in the history

  2. Config: Restrict permissions of OTP config file

    @lanodan
    lanodan committed Aug 4, 2023
    Configuration menu
    Copy the full SHA
    8cc8100 View commit details
    Browse the repository at this point in the history

  3. instance gen: Reduce permissions of pleroma directories and config files

    @lanodan
    lanodan committed Aug 4, 2023
    Configuration menu
    Copy the full SHA
    69caedc View commit details
    Browse the repository at this point in the history

  4. changelog: Entry for config permissions restrictions 

    Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3135
    @lanodan
    lanodan committed Aug 4, 2023
    Configuration menu
    Copy the full SHA
    9f0ad90 View commit details
    Browse the repository at this point in the history

  5. release_runtime_provider_test: chmod config for hardened permissions 

    Git doesn't manages file permissions precisely enough for us.
    @lanodan
    lanodan committed Aug 4, 2023
    Configuration menu
    Copy the full SHA
    65ef8f1 View commit details
    Browse the repository at this point in the history

  6. Release 2.5.53

    @lanodan
    lanodan committed Aug 4, 2023
    Configuration menu
    Copy the full SHA
    6a0fd77 View commit details
    Browse the repository at this point in the history

  7. Merge branch 'mergeback/2.5.3' into 'develop' 

    Mergeback: 2.5.3

Closes #3135

See merge request pleroma/pleroma!3927
    Haelwenn committed Aug 4, 2023
    Configuration menu
    Copy the full SHA
    1062185 View commit details
    Browse the repository at this point in the history

  8. gentoo_otp_en.md: Indicate which install method it covers

    @lanodan
    lanodan committed Aug 4, 2023
    Configuration menu
    Copy the full SHA
    0e32169 View commit details
    Browse the repository at this point in the history

Commits on Aug 5, 2023

  1. Prevent XML parser from loading external entities

    @feld
    Mae authored and feld committed Aug 5, 2023
    Configuration menu
    Copy the full SHA
    ca0859b View commit details
    Browse the repository at this point in the history

  2. Add unit test for external entity loading

    @FloatingGhost @lanodan
    FloatingGhost authored and lanodan committed Aug 5, 2023
    Configuration menu
    Copy the full SHA
    307692c View commit details
    Browse the repository at this point in the history

  3. Document and test that XXE processing is disabled 

    https://vuln.be/post/xxe-in-erlang-and-elixir/
    @feld @lanodan
    feld authored and lanodan committed Aug 5, 2023
    Configuration menu
    Copy the full SHA
    6d48b0f View commit details
    Browse the repository at this point in the history

  4. Mergeback release 2.5.4

    @lanodan
    lanodan committed Aug 5, 2023
    Configuration menu
    Copy the full SHA
    4099ddb View commit details
    Browse the repository at this point in the history

  5. Merge branch 'mergeback/2.5.4' into 'develop' 

    Mergeback: 2.5.4

See merge request pleroma/pleroma!3930
    Haelwenn committed Aug 5, 2023
    Configuration menu
    Copy the full SHA
    d0f7a5c View commit details
    Browse the repository at this point in the history

  6. Merge branch 'docs/gentoo-otp-intro' into 'develop' 

    gentoo_otp_en.md: Indicate which install method it covers

See merge request pleroma/pleroma!3928
    Haelwenn committed Aug 5, 2023
    Configuration menu
    Copy the full SHA
    17c336d View commit details
    Browse the repository at this point in the history

  7. Completely disable xml entity resolution

    @MaeIsBad
    MaeIsBad committed Aug 5, 2023
    Configuration menu
    Copy the full SHA
    48b1e9b View commit details
    Browse the repository at this point in the history

Commits on Aug 6, 2023

  1. Merge branch 'disable-xml-entities-completely' into 'develop' 

    Completely disable xml entity resolution

See merge request pleroma/pleroma!3932
    Haelwenn committed Aug 6, 2023
    Configuration menu
    Copy the full SHA
    4e355b8 View commit details
    Browse the repository at this point in the history