diff options
| author | Maksim Pechnikov <parallel588@gmail.com> | 2020-03-08 14:10:45 +0300 |
|---|---|---|
| committer | Maksim Pechnikov <parallel588@gmail.com> | 2020-03-08 14:10:59 +0300 |
| commit | edb659dc579fe56227adef0b0704ff13b6ef717e (patch) | |
| tree | e9d48cd8afd99877d5b4c696d8b7a62a9d2121bd /CHANGELOG.md | |
| parent | 10f452ad1feae9a882b6dc4cd35e09adb7e78208 (diff) | |
| parent | 6d797b99282ff1067c6af04b3e1775ff2281333b (diff) | |
| download | pleroma-edb659dc579fe56227adef0b0704ff13b6ef717e.tar.gz pleroma-edb659dc579fe56227adef0b0704ff13b6ef717e.zip | |
Merge branch 'develop' into issue/1276
Diffstat (limited to 'CHANGELOG.md')
| -rw-r--r-- | CHANGELOG.md | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index c58da7a41..0510994c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [Unreleased] +### Security +- Mastodon API: Fix being able to request enourmous amount of statuses in timelines leading to DoS. Now limited to 40 per request. + ### Removed - **Breaking**: Removed 1.0+ deprecated configurations `Pleroma.Upload, :strip_exif` and `:instance, :dedupe_media` - **Breaking**: OStatus protocol support @@ -35,6 +38,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Rate limiter is now disabled for localhost/socket (unless remoteip plug is enabled) - Logger: default log level changed from `warn` to `info`. - Config mix task `migrate_to_db` truncates `config` table before migrating the config file. +- Default to `prepare: :unnamed` in the database configuration. +- Instance stats are now loaded on startup instead of being empty until next hourly job. <details> <summary>API Changes</summary> @@ -57,6 +62,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Admin API: Render whole status in grouped reports - Mastodon API: User timelines will now respect blocks, unless you are getting the user timeline of somebody you blocked (which would be empty otherwise). - Mastodon API: Favoriting / Repeating a post multiple times will now return the identical response every time. Before, executing that action twice would return an error ("already favorited") on the second try. +- Mastodon API: Limit timeline requests to 3 per timeline per 500ms per user/ip by default. </details> ### Added @@ -105,6 +111,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Configuration: `feed` option for user atom feed. - Pleroma API: Add Emoji reactions - Admin API: Add `/api/pleroma/admin/instances/:instance/statuses` - lists all statuses from a given instance +- Admin API: Add `/api/pleroma/admin/users/:nickname/statuses` - lists all statuses from a given user - Admin API: `PATCH /api/pleroma/users/confirm_email` to confirm email for multiple users, `PATCH /api/pleroma/users/resend_confirmation_email` to resend confirmation email for multiple users - ActivityPub: Configurable `type` field of the actors. - Mastodon API: `/api/v1/accounts/:id` has `source/pleroma/actor_type` field. @@ -122,6 +129,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Pleroma API: Add reactions for a single emoji. - ActivityPub: `[:activitypub, :note_replies_output_limit]` setting sets the number of note self-replies to output on outgoing federation. - Admin API: `GET /api/pleroma/admin/stats` to get status count by visibility scope +- Admin API: `GET /api/pleroma/admin/statuses` - list all statuses (accepts `godmode` and `local_only`) </details> ### Fixed |