Merge branch 'fix/mediaproxy-bypass-emoji' into 'develop'

Fix profile emojis bypassing mediaproxy and harden CSP Closes #1810 See merge request pleroma/pleroma!2596
2020-05-29 09:46:31 +00:00 · 2020-05-29 09:46:31 +00:00 · 396bc69aee
commit 396bc69aee
parent 1d30608e20 27180611df
5 changed files with 106 additions and 43 deletions
--- a/lib/pleroma/web/mastodon_api/views/account_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/account_view.ex
@ -182,12 +182,14 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
    bot = user.actor_type in ["Application", "Service"]

    emojis =
-      Enum.map(user.emoji, fn {shortcode, url} ->
+      Enum.map(user.emoji, fn {shortcode, raw_url} ->
+        url = MediaProxy.url(raw_url)
+
        %{
-          "shortcode" => shortcode,
-          "url" => url,
-          "static_url" => url,
-          "visible_in_picker" => false
+          shortcode: shortcode,
+          url: url,
+          static_url: url,
+          visible_in_picker: false
        }
      end)