hj/pleroma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
15,283 commits 1 branch 0 tags 221 MiB
Commit graph

5,879 commits

Author SHA1 Message Date
Henry Jameson
303db126a8 Merge remote-tracking branch 'origin/tusooa/quote' into shigusegubu 2023-09-04 19:34:06 +03:00
Mint
1afde067b1 CommonAPI: Prevent users from accessing media of other users 2023-09-03 10:41:37 +02:00
tusooa
c525496e75 Merge branch 'develop' into 'tusooa/quote' 
# Conflicts:
#   lib/pleroma/constants.ex
 2023-08-31 00:35:37 +00:00
mae
48b1e9bdc7 Completely disable xml entity resolution 2023-08-05 14:17:04 +02:00
FloatingGhost
307692cee8 Add unit test for external entity loading 2023-08-05 08:14:27 +02:00
Haelwenn (lanodan) Monnier
65ef8f19c5 release_runtime_provider_test: chmod config for hardened permissions 
Git doesn't manages file permissions precisely enough for us.
 2023-08-04 09:50:28 +02:00
Mark Felder
2c79509453 Resolve information disclosure vulnerability through emoji pack archive download endpoint 
The pack name has been sanitized so an attacker cannot upload a media
file called pack.json with their own handcrafted list of emoji files as
arbitrary files on the filesystem and then call the emoji pack archive
download endpoint with a pack name crafted to the location of the media
file they uploaded which tricks Pleroma into generating a zip file of
the target files the attacker wants to download.

The attack only works if the Pleroma instance does not have the
AnonymizeFilename upload filter enabled, which is currently the default.

Reported by: graf@poast.org
 2023-08-04 08:40:27 +02:00
Haelwenn
819fccb7d1 Merge branch 'tusooa/3154-attachment-type-check' into 'develop' 
Restrict attachments to only uploaded files only

Closes #3154

See merge request pleroma/pleroma!3923
 2023-08-03 10:01:32 +00:00
faried nawaz
dc4de79d43 status context: perform visibility check on activities around a status 
issue #2927
 2023-07-28 18:45:59 +05:00
tusooa
ea4225a646
 		Restrict attachments to only uploaded files only 2023-07-18 18:39:59 -04:00
tusooa
bffa258a23
 		Fix quote_visible attribute 2023-07-13 06:56:06 -04:00
tusooa
2436c9d61d
 		Expose quote_id parameter on the api 2023-07-13 06:56:06 -04:00
tusooa
5ebabcd582
 		Do not mention original poster when quoting 2023-07-13 06:56:00 -04:00
tusooa
fca6a7933e
 		Fix TransmogrifierTest 2023-07-12 14:58:20 -04:00
tusooa
05beada21b
 		Add mrf to force link tag of quoting posts 2023-07-12 14:30:58 -04:00
tusooa
f8b01788eb
 		Keep incoming Link tag 2023-07-12 14:08:24 -04:00
tusooa
8f252fd99b
 		Parse object link as quoteUrl 2023-07-12 11:09:10 -04:00
tusooa
2c70857f9f
 		Allow more flexibility in InlineQuotePolicy 2023-07-12 09:30:43 -04:00
tusooa
26b499eca0
 		Fix CommonAPITest 2023-07-10 19:43:18 -04:00
tusooa
3bb384d378
 		Allow local quote and private self-quote 2023-07-10 18:27:23 -04:00
Alex Gleason
52c81cdf68
 		InlineQuotePolicy: skip objects which already have an .inline-quote span 2023-07-10 17:52:10 -04:00
Alex Gleason
34cf4222c1
 		Actually, don't send _misskey_quote anymore 2023-07-10 17:52:10 -04:00
Alex Gleason
5df951f670
 		InlineQuotePolicy: improve the way Markdown quotes are displayed by other software 2023-07-10 17:52:10 -04:00
Alex Gleason
32e284ed2c
 		Handle Fedibird's new quoteUri field 2023-07-10 17:52:10 -04:00
Alex Gleason
f89874596e
 		Transmogrifier: federate quotes with _misskey_quote field 2023-07-10 17:52:10 -04:00
Alex Gleason
f8b420932e
 		StatusView: return quote post inside a reblog 2023-07-10 17:52:10 -04:00
Alex Gleason
63f8c33353
 		InlineQuotePolicy: don't add line breaks to markdown posts 2023-07-10 17:52:10 -04:00
Alex Gleason
029a1045d4
 		StatusView: add quote_visible param 2023-07-10 17:52:09 -04:00
Alex Gleason
14a26e4433
 		StatusView: fix quote visibility 2023-07-10 17:52:09 -04:00
Alex Gleason
6d26ce54c4
 		CommonAPI: disallow quoting private posts through the API 2023-07-10 17:52:09 -04:00
Alex Gleason
1a6ab18ebc
 		Add InlineQuotePolicy to force quote URLs inline 2023-07-10 17:52:07 -04:00
Alex Gleason
a3b7c1da4f
 		ActivityDraft: mix format, defensive actor ID 2023-07-10 17:49:42 -04:00
Alex Gleason
cca63d707d
 		ActivityDraft: mention the OP of a quoted post 2023-07-10 17:49:42 -04:00
Alex Gleason
4bcdf0cf4f
 		Return quote_url through the API, don't render quotes more than 1 level deep 2023-07-10 17:49:42 -04:00
Alex Gleason
72a0236c9a
 		Fix typos 2023-07-10 17:49:42 -04:00
Alex Gleason
efd6d40a40
 		TransmogrifierTest: prepare an outgoing quote post 2023-07-10 17:49:42 -04:00
Alex Gleason
b9c10c61b7
 		StatusControllerTest: test creating a quote post 2023-07-10 17:49:41 -04:00
Alex Gleason
bc2ffd0c16
 		BuilderTest: build quote post 2023-07-10 17:49:41 -04:00
Alex Gleason
a938a96ae8
 		ActivityDraft: allow quoting 2023-07-10 17:49:41 -04:00
Alex Gleason
f95cad4603
 		StatusView: render the whole quoted status 2023-07-10 17:49:41 -04:00
Alex Gleason
f01e2d0902
 		Transmogrifier: fetch quoted post 2023-07-10 17:49:39 -04:00
Alex Gleason
2c17d29c4b
 		ObjectValidators: improve quoteUrl compatibility 2023-07-10 17:49:06 -04:00
Alex Gleason
4c90f39e14
 		Quote post: add fixtures 2023-07-10 17:49:06 -04:00
tusooa
1459d64508
 		Make regex-to-string descriptor reusable 2023-07-07 07:09:35 -04:00
tusooa
ba3aa4f86d
 		Fix edge cases 2023-07-07 06:58:32 -04:00
tusooa
d670dbdbd3
 		Test that unicode emoji reactions are not affected 2023-07-07 06:58:32 -04:00
tusooa
ef8a6c539a
 		Make EmojiPolicy aware of custom emoji reactions 2023-07-07 06:58:31 -04:00
tusooa
7eb8abf7bb
 		EmojiPolicy: Implement delist 2023-07-07 06:58:31 -04:00
tusooa
80ce6482f6
 		EmojiPolicy: implement remove by shortcode 2023-07-07 06:58:31 -04:00
tusooa
28ff828caa
 		Add emoji policy to remove emojis matching certain urls 
https://git.pleroma.social/pleroma/pleroma/-/issues/2775
 2023-07-07 06:58:22 -04:00