diff options
| author | rinpatch <rinpatch@sdf.org> | 2020-10-28 18:08:23 +0300 | 
|---|---|---|
| committer | rinpatch <rinpatch@sdf.org> | 2020-11-12 15:25:33 +0300 | 
| commit | 6ca709816f74f1171423c7bc040619fca57a2087 (patch) | |
| tree | c63d54e69018c195279ff946f8f3990b25215cef /priv/static/packs/emoji_picker.js | |
| parent | 99bc175f0257fb0cb9275cba94df662ed219eacf (diff) | |
| download | pleroma-6ca709816f74f1171423c7bc040619fca57a2087.tar.gz pleroma-6ca709816f74f1171423c7bc040619fca57a2087.zip | |
Fix object spoofing vulnerability in attachments
Validate the content-type of the response when fetching an object,
according to https://www.w3.org/TR/activitypub/#x3-2-retrieving-objects.
content-type headers had to be added to many mocks in order to support
this, some of this was done with a regex. While I did go over the
resulting files to check I didn't modify anything unrelated, there is a
 possibility I missed something.
Closes pleroma#1948
Diffstat (limited to 'priv/static/packs/emoji_picker.js')
0 files changed, 0 insertions, 0 deletions
