| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2023-09-03 | mix: version 2.5.5 | Haelwenn (lanodan) Monnier | |
| 2023-09-03 | CommonAPI: Prevent users from accessing media of other users | Mint | |
| commit 1afde067b12ad0062c1820091ea9b0a680819281 upstream. | |||
| 2023-09-03 | Merge branch 'check-attachment-attribution' into 'develop' | Haelwenn | |
| Prevent users from attaching other users' attachments See merge request pleroma/pleroma!3947 | |||
| 2023-09-03 | CommonAPI: Prevent users from accessing media of other users | Mint | |
| 2023-08-31 | Merge branch 'tusooa/lint' into 'develop' | Haelwenn | |
| Make lint happy See merge request pleroma/pleroma!3944 | |||
| 2023-08-30 | Skip changelog | tusooa | |
| 2023-08-30 | Make lint happy | tusooa | |
| 2023-08-16 | Merge branch 'csp-flash' into 'develop' | Haelwenn | |
| allow https: so that flash works across instances without need for media proxy See merge request pleroma/pleroma!3879 | |||
| 2023-08-16 | Apply lanodan's suggestion(s) to 1 file(s) | Haelwenn | |
| 2023-08-11 | InstanceView: Add common_information function | marcin mikołajczak | |
| Signed-off-by: marcin mikołajczak <git@mkljczk.pl> | |||
| 2023-08-11 | Implement api/v2/instance route | marcin mikołajczak | |
| Signed-off-by: marcin mikołajczak <git@mkljczk.pl> | |||
| 2023-08-10 | Merge branch 'fix-dockerfile-perms' into 'develop' | tusooa | |
| Fix config ownership in dockerfile to pass restriction test See merge request pleroma/pleroma!3931 | |||
| 2023-08-08 | Fix config ownership in dockerfile to pass restriction test | Cat pony Black | |
| 2023-08-06 | Merge branch 'disable-xml-entities-completely' into 'develop' | Haelwenn | |
| Completely disable xml entity resolution See merge request pleroma/pleroma!3932 | |||
| 2023-08-05 | Completely disable xml entity resolution | mae | |
| 2023-08-05 | Merge branch 'docs/gentoo-otp-intro' into 'develop' | Haelwenn | |
| gentoo_otp_en.md: Indicate which install method it covers See merge request pleroma/pleroma!3928 | |||
| 2023-08-05 | Merge branch 'mergeback/2.5.4' into 'develop' | Haelwenn | |
| Mergeback: 2.5.4 See merge request pleroma/pleroma!3930 | |||
| 2023-08-05 | Merge branch 'releases/2.5.4' into 'stable' | Haelwenn | |
| Release 2.5.4 See merge request pleroma/pleroma!3929 | |||
| 2023-08-05 | Mergeback release 2.5.4 | Haelwenn (lanodan) Monnier | |
| 2023-08-05 | Release 2.5.4 | Haelwenn (lanodan) Monnier | |
| 2023-08-05 | Document and test that XXE processing is disabled | Mark Felder | |
| https://vuln.be/post/xxe-in-erlang-and-elixir/ | |||
| 2023-08-05 | Add unit test for external entity loading | FloatingGhost | |
| 2023-08-05 | Prevent XML parser from loading external entities | Mae | |
| 2023-08-05 | Document and test that XXE processing is disabled | Mark Felder | |
| https://vuln.be/post/xxe-in-erlang-and-elixir/ | |||
| 2023-08-05 | Add unit test for external entity loading | FloatingGhost | |
| 2023-08-04 | Prevent XML parser from loading external entities | Mae | |
| 2023-08-04 | gentoo_otp_en.md: Indicate which install method it covers | Haelwenn (lanodan) Monnier | |
| 2023-08-04 | Merge branch 'release/2.5.3' into 'stable' | Haelwenn | |
| Release 2.5.3 See merge request pleroma/pleroma!3926 | |||
| 2023-08-04 | Merge branch 'mergeback/2.5.3' into 'develop' | Haelwenn | |
| Mergeback: 2.5.3 Closes #3135 See merge request pleroma/pleroma!3927 | |||
| 2023-08-04 | Release 2.5.53 | Haelwenn (lanodan) Monnier | |
| 2023-08-04 | release_runtime_provider_test: chmod config for hardened permissions | Haelwenn (lanodan) Monnier | |
| Git doesn't manages file permissions precisely enough for us. | |||
| 2023-08-04 | changelog: Entry for config permissions restrictions | Haelwenn (lanodan) Monnier | |
| Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3135 | |||
| 2023-08-04 | instance gen: Reduce permissions of pleroma directories and config files | Haelwenn (lanodan) Monnier | |
| 2023-08-04 | Config: Restrict permissions of OTP config file | Haelwenn (lanodan) Monnier | |
| 2023-08-04 | Release 2.5.3 | Haelwenn (lanodan) Monnier | |
| 2023-08-04 | test: Fix warnings | Haelwenn (lanodan) Monnier | |
| 2023-08-04 | Force the use of amd64 runners for jobs using ci-base | Haelwenn (lanodan) Monnier | |
| 2023-08-04 | release_runtime_provider_test: chmod config for hardened permissions | Haelwenn (lanodan) Monnier | |
| Git doesn't manages file permissions precisely enough for us. | |||
| 2023-08-04 | changelog: Entry for config permissions restrictions | Haelwenn (lanodan) Monnier | |
| Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3135 | |||
| 2023-08-04 | instance gen: Reduce permissions of pleroma directories and config files | Haelwenn (lanodan) Monnier | |
| 2023-08-04 | Config: Restrict permissions of OTP config file | Haelwenn (lanodan) Monnier | |
| 2023-08-04 | Resolve information disclosure vulnerability through emoji pack archive ↵ | Mark Felder | |
| download endpoint The pack name has been sanitized so an attacker cannot upload a media file called pack.json with their own handcrafted list of emoji files as arbitrary files on the filesystem and then call the emoji pack archive download endpoint with a pack name crafted to the location of the media file they uploaded which tricks Pleroma into generating a zip file of the target files the attacker wants to download. The attack only works if the Pleroma instance does not have the AnonymizeFilename upload filter enabled, which is currently the default. Reported by: graf@poast.org | |||
| 2023-08-04 | Resolve information disclosure vulnerability through emoji pack archive ↵ | Mark Felder | |
| download endpoint The pack name has been sanitized so an attacker cannot upload a media file called pack.json with their own handcrafted list of emoji files as arbitrary files on the filesystem and then call the emoji pack archive download endpoint with a pack name crafted to the location of the media file they uploaded which tricks Pleroma into generating a zip file of the target files the attacker wants to download. The attack only works if the Pleroma instance does not have the AnonymizeFilename upload filter enabled, which is currently the default. Reported by: graf@poast.org | |||
| 2023-08-03 | Merge branch 'tusooa/3154-attachment-type-check' into 'develop' | Haelwenn | |
| Restrict attachments to only uploaded files only Closes #3154 See merge request pleroma/pleroma!3923 | |||
| 2023-07-28 | Merge branch 'fix/2927-disallow-unauthenticated-access' into 'develop' | tusooa | |
| /api/v1/statuses/:id/context: filter context activities using Visibility.visible_for_user?/2 See merge request pleroma/pleroma!3801 | |||
| 2023-07-28 | add changelog entry | faried nawaz | |
| 2023-07-28 | cleaner ecto query to handle restrict_unauthenticated for activities | Faried Nawaz | |
| This fix is for this case: config :pleroma, :restrict_unauthenticated, activities: %{local: true, remote: true} | |||
| 2023-07-28 | status context: perform visibility check on activities around a status | faried nawaz | |
| issue #2927 | |||
| 2023-07-18 | Restrict attachments to only uploaded files only | tusooa | |
| 2023-07-17 | Merge branch '2023-06-deps-update' into 'develop' | Haelwenn | |
| 2023-06 deps update + de-override plug See merge request pleroma/pleroma!3911 | |||
 |
index : pleroma | |
| Unnamed repository; edit this file 'description' to name the repository. |
| summaryrefslogtreecommitdiff |