pleroma

hj/pleroma

Author	SHA1	Message	Date
Haelwenn (lanodan) Monnier	0e321698d2	gentoo_otp_en.md: Indicate which install method it covers	2023-08-04 17:11:20 +02:00
Haelwenn	1062185ba0	Merge branch 'mergeback/2.5.3' into 'develop' Mergeback: 2.5.3 Closes #3135 See merge request pleroma/pleroma!3927	2023-08-04 09:38:01 +00:00
Haelwenn (lanodan) Monnier	6a0fd77c48	Release 2.5.53	2023-08-04 09:50:28 +02:00
Haelwenn (lanodan) Monnier	65ef8f19c5	release_runtime_provider_test: chmod config for hardened permissions Git doesn't manages file permissions precisely enough for us.	2023-08-04 09:50:28 +02:00
Haelwenn (lanodan) Monnier	9f0ad901ed	changelog: Entry for config permissions restrictions Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3135	2023-08-04 09:50:28 +02:00
Haelwenn (lanodan) Monnier	69caedc591	instance gen: Reduce permissions of pleroma directories and config files	2023-08-04 09:50:28 +02:00
Haelwenn (lanodan) Monnier	8cc8100120	Config: Restrict permissions of OTP config file	2023-08-04 09:50:28 +02:00
Mark Felder	2c79509453	Resolve information disclosure vulnerability through emoji pack archive download endpoint The pack name has been sanitized so an attacker cannot upload a media file called pack.json with their own handcrafted list of emoji files as arbitrary files on the filesystem and then call the emoji pack archive download endpoint with a pack name crafted to the location of the media file they uploaded which tricks Pleroma into generating a zip file of the target files the attacker wants to download. The attack only works if the Pleroma instance does not have the AnonymizeFilename upload filter enabled, which is currently the default. Reported by: graf@poast.org	2023-08-04 08:40:27 +02:00
Haelwenn	819fccb7d1	Merge branch 'tusooa/3154-attachment-type-check' into 'develop' Restrict attachments to only uploaded files only Closes #3154 See merge request pleroma/pleroma!3923	2023-08-03 10:01:32 +00:00
tusooa	b08cbe76f1	Merge branch 'fix/2927-disallow-unauthenticated-access' into 'develop' /api/v1/statuses/:id/context: filter context activities using Visibility.visible_for_user?/2 See merge request pleroma/pleroma!3801	2023-07-28 15:05:46 +00:00
faried nawaz	11ce81d4af	add changelog entry	2023-07-28 18:49:05 +05:00
Faried Nawaz	e5e76ec445	cleaner ecto query to handle restrict_unauthenticated for activities This fix is for this case: config :pleroma, :restrict_unauthenticated, activities: %{local: true, remote: true}	2023-07-28 18:45:59 +05:00
faried nawaz	dc4de79d43	status context: perform visibility check on activities around a status issue #2927	2023-07-28 18:45:59 +05:00
Henry Jameson	78697ad23a	Merge remote-tracking branch 'origin/develop' into shigusegubu	2023-07-19 21:06:02 +03:00
tusooa	ea4225a646	Restrict attachments to only uploaded files only	2023-07-18 18:39:59 -04:00
Haelwenn	93ad16cca0	Merge branch '2023-06-deps-update' into 'develop' 2023-06 deps update + de-override plug See merge request pleroma/pleroma!3911	2023-07-17 20:37:47 +00:00
tusooa	bffa258a23	Fix quote_visible attribute	2023-07-13 06:56:06 -04:00
tusooa	2436c9d61d	Expose quote_id parameter on the api	2023-07-13 06:56:06 -04:00
tusooa	5ebabcd582	Do not mention original poster when quoting	2023-07-13 06:56:00 -04:00
tusooa	44eb648179	Fix config descriptions for mrf inline quote	2023-07-12 22:07:51 -04:00
tusooa	fca6a7933e	Fix TransmogrifierTest	2023-07-12 14:58:20 -04:00
tusooa	01eafc0372	Make InlineQuotePolicy history aware	2023-07-12 14:37:12 -04:00
tusooa	05beada21b	Add mrf to force link tag of quoting posts	2023-07-12 14:30:58 -04:00
tusooa	f8b01788eb	Keep incoming Link tag	2023-07-12 14:08:24 -04:00
tusooa	8f252fd99b	Parse object link as quoteUrl	2023-07-12 11:09:10 -04:00
tusooa	2c70857f9f	Allow more flexibility in InlineQuotePolicy	2023-07-12 09:30:43 -04:00
tusooa	26b499eca0	Fix CommonAPITest	2023-07-10 19:43:18 -04:00
tusooa	ebcac09f5c	Add changelog	2023-07-10 18:28:13 -04:00
tusooa	3bb384d378	Allow local quote and private self-quote	2023-07-10 18:27:23 -04:00
tusooa	44cea92fbc	Unify logic for normalizing quoteUri	2023-07-10 18:14:14 -04:00
Alex Gleason	52c81cdf68	InlineQuotePolicy: skip objects which already have an .inline-quote span	2023-07-10 17:52:10 -04:00
Alex Gleason	34cf4222c1	Actually, don't send _misskey_quote anymore	2023-07-10 17:52:10 -04:00
Alex Gleason	5df951f670	InlineQuotePolicy: improve the way Markdown quotes are displayed by other software	2023-07-10 17:52:10 -04:00
Alex Gleason	32e284ed2c	Handle Fedibird's new quoteUri field	2023-07-10 17:52:10 -04:00
Alex Gleason	f89874596e	Transmogrifier: federate quotes with _misskey_quote field	2023-07-10 17:52:10 -04:00
Alex Gleason	f8b420932e	StatusView: return quote post inside a reblog	2023-07-10 17:52:10 -04:00
Alex Gleason	1cb39bfb90	Add InlineQuotePolicy as a default MRF	2023-07-10 17:52:10 -04:00
Alex Gleason	63f8c33353	InlineQuotePolicy: don't add line breaks to markdown posts	2023-07-10 17:52:10 -04:00
Alex Gleason	029a1045d4	StatusView: add `quote_visible` param	2023-07-10 17:52:09 -04:00
Alex Gleason	14a26e4433	StatusView: fix quote visibility	2023-07-10 17:52:09 -04:00
Alex Gleason	6d26ce54c4	CommonAPI: disallow quoting private posts through the API	2023-07-10 17:52:09 -04:00
Alex Gleason	1a6ab18ebc	Add InlineQuotePolicy to force quote URLs inline	2023-07-10 17:52:07 -04:00
Alex Gleason	06cc4ad7fd	Scrubber.Default: allow span.quote-inline for quote post compatibility	2023-07-10 17:51:03 -04:00
Alex Gleason	a3b7c1da4f	ActivityDraft: mix format, defensive actor ID	2023-07-10 17:49:42 -04:00
Alex Gleason	cca63d707d	ActivityDraft: mention the OP of a quoted post	2023-07-10 17:49:42 -04:00
Alex Gleason	4bcdf0cf4f	Return quote_url through the API, don't render quotes more than 1 level deep	2023-07-10 17:49:42 -04:00
Alex Gleason	2f9a098dd5	@context: add quoteUrl	2023-07-10 17:49:42 -04:00
Alex Gleason	e47c6a2445	InstanceView: add "quote_posting" feature	2023-07-10 17:49:42 -04:00
Alex Gleason	72a0236c9a	Fix typos	2023-07-10 17:49:42 -04:00
Alex Gleason	57e4e43042	mix format	2023-07-10 17:49:42 -04:00

1 2 3 4 5 ...

15363 commits