hj/pleroma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
15363 commits 1 branch 0 tags 218 MiB
Commit graph

9137 commits

Author SHA1 Message Date
Alex Gleason
795736af16
ObjectValidators: improve quoteUrl compatibility 2023-09-13 19:19:03 -04:00
Alex Gleason
31eb3dc245
ObjectValidators: accept "quoteUrl" field 2023-09-13 19:19:02 -04:00
Henry Jameson
303db126a8 Merge remote-tracking branch 'origin/tusooa/quote' into shigusegubu 2023-09-04 19:34:06 +03:00
Mint
1afde067b1 CommonAPI: Prevent users from accessing media of other users 2023-09-03 10:41:37 +02:00
tusooa
3d09bc320e
Make lint happy 2023-08-30 20:36:52 -04:00
tusooa
c525496e75 Merge branch 'develop' into 'tusooa/quote' 
# Conflicts:
#   lib/pleroma/constants.ex
 2023-08-31 00:35:37 +00:00
Haelwenn
1e685c8302 Merge branch 'csp-flash' into 'develop' 
allow https: so that flash works across instances without need for media proxy

See merge request pleroma/pleroma!3879
 2023-08-16 13:37:49 +00:00
Haelwenn
d838d1990b Apply lanodan's suggestion(s) to 1 file(s) 2023-08-16 13:34:32 +00:00
mae
48b1e9bdc7 Completely disable xml entity resolution 2023-08-05 14:17:04 +02:00
Mae
ca0859b90f Prevent XML parser from loading external entities 2023-08-04 22:35:13 -04:00
Haelwenn (lanodan) Monnier
69caedc591 instance gen: Reduce permissions of pleroma directories and config files 2023-08-04 09:50:28 +02:00
Haelwenn (lanodan) Monnier
8cc8100120 Config: Restrict permissions of OTP config file 2023-08-04 09:50:28 +02:00
Mark Felder
2c79509453 Resolve information disclosure vulnerability through emoji pack archive download endpoint 
The pack name has been sanitized so an attacker cannot upload a media
file called pack.json with their own handcrafted list of emoji files as
arbitrary files on the filesystem and then call the emoji pack archive
download endpoint with a pack name crafted to the location of the media
file they uploaded which tricks Pleroma into generating a zip file of
the target files the attacker wants to download.

The attack only works if the Pleroma instance does not have the
AnonymizeFilename upload filter enabled, which is currently the default.

Reported by: graf@poast.org
 2023-08-04 08:40:27 +02:00
Haelwenn
819fccb7d1 Merge branch 'tusooa/3154-attachment-type-check' into 'develop' 
Restrict attachments to only uploaded files only

Closes #3154

See merge request pleroma/pleroma!3923
 2023-08-03 10:01:32 +00:00
Faried Nawaz
e5e76ec445 cleaner ecto query to handle restrict_unauthenticated for activities 
This fix is for this case:

  config :pleroma, :restrict_unauthenticated,
    activities: %{local: true, remote: true}
 2023-07-28 18:45:59 +05:00
faried nawaz
dc4de79d43 status context: perform visibility check on activities around a status 
issue #2927
 2023-07-28 18:45:59 +05:00
tusooa
ea4225a646
Restrict attachments to only uploaded files only 2023-07-18 18:39:59 -04:00
Haelwenn
93ad16cca0 Merge branch '2023-06-deps-update' into 'develop' 
2023-06 deps update + de-override plug

See merge request pleroma/pleroma!3911
 2023-07-17 20:37:47 +00:00
tusooa
bffa258a23
Fix quote_visible attribute 2023-07-13 06:56:06 -04:00
tusooa
2436c9d61d
Expose quote_id parameter on the api 2023-07-13 06:56:06 -04:00
tusooa
5ebabcd582
Do not mention original poster when quoting 2023-07-13 06:56:00 -04:00
tusooa
44eb648179
Fix config descriptions for mrf inline quote 2023-07-12 22:07:51 -04:00
tusooa
01eafc0372
Make InlineQuotePolicy history aware 2023-07-12 14:37:12 -04:00
tusooa
05beada21b
Add mrf to force link tag of quoting posts 2023-07-12 14:30:58 -04:00
tusooa
f8b01788eb
Keep incoming Link tag 2023-07-12 14:08:24 -04:00
tusooa
8f252fd99b
Parse object link as quoteUrl 2023-07-12 11:09:10 -04:00
tusooa
2c70857f9f
Allow more flexibility in InlineQuotePolicy 2023-07-12 09:30:43 -04:00
tusooa
3bb384d378
Allow local quote and private self-quote 2023-07-10 18:27:23 -04:00
tusooa
44cea92fbc
Unify logic for normalizing quoteUri 2023-07-10 18:14:14 -04:00
Alex Gleason
52c81cdf68
InlineQuotePolicy: skip objects which already have an .inline-quote span 2023-07-10 17:52:10 -04:00
Alex Gleason
34cf4222c1
Actually, don't send _misskey_quote anymore 2023-07-10 17:52:10 -04:00
Alex Gleason
5df951f670
InlineQuotePolicy: improve the way Markdown quotes are displayed by other software 2023-07-10 17:52:10 -04:00
Alex Gleason
32e284ed2c
Handle Fedibird's new quoteUri field 2023-07-10 17:52:10 -04:00
Alex Gleason
f89874596e
Transmogrifier: federate quotes with _misskey_quote field 2023-07-10 17:52:10 -04:00
Alex Gleason
f8b420932e
StatusView: return quote post inside a reblog 2023-07-10 17:52:10 -04:00
Alex Gleason
63f8c33353
InlineQuotePolicy: don't add line breaks to markdown posts 2023-07-10 17:52:10 -04:00
Alex Gleason
029a1045d4
StatusView: add quote_visible param 2023-07-10 17:52:09 -04:00
Alex Gleason
14a26e4433
StatusView: fix quote visibility 2023-07-10 17:52:09 -04:00
Alex Gleason
6d26ce54c4
CommonAPI: disallow quoting private posts through the API 2023-07-10 17:52:09 -04:00
Alex Gleason
1a6ab18ebc
Add InlineQuotePolicy to force quote URLs inline 2023-07-10 17:52:07 -04:00
Alex Gleason
a3b7c1da4f
ActivityDraft: mix format, defensive actor ID 2023-07-10 17:49:42 -04:00
Alex Gleason
cca63d707d
ActivityDraft: mention the OP of a quoted post 2023-07-10 17:49:42 -04:00
Alex Gleason
4bcdf0cf4f
Return quote_url through the API, don't render quotes more than 1 level deep 2023-07-10 17:49:42 -04:00
Alex Gleason
e47c6a2445
InstanceView: add "quote_posting" feature 2023-07-10 17:49:42 -04:00
Alex Gleason
57e4e43042
mix format 2023-07-10 17:49:42 -04:00
Alex Gleason
a938a96ae8
ActivityDraft: allow quoting 2023-07-10 17:49:41 -04:00
Alex Gleason
fe5b8cbe05
ActivityDraft: create quote posts 2023-07-10 17:49:41 -04:00
Alex Gleason
f95cad4603
StatusView: render the whole quoted status 2023-07-10 17:49:41 -04:00
Alex Gleason
d10408558e
StatusView: show quoted posts through the API, probably 2023-07-10 17:49:41 -04:00
Alex Gleason
5fdf4d1b1c
Transmogrifier: fix quoteUrl here too 2023-07-10 17:49:41 -04:00