| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2023-09-13 | StatusView: fix quote visibility | Alex Gleason | |
| 2023-09-13 | CommonAPI: disallow quoting private posts through the API | Alex Gleason | |
| 2023-09-13 | Add InlineQuotePolicy to force quote URLs inline | Alex Gleason | |
| 2023-09-13 | Scrubber.Default: allow span.quote-inline for quote post compatibility | Alex Gleason | |
| 2023-09-13 | ActivityDraft: mix format, defensive actor ID | Alex Gleason | |
| 2023-09-13 | ActivityDraft: mention the OP of a quoted post | Alex Gleason | |
| 2023-09-13 | Return quote_url through the API, don't render quotes more than 1 level deep | Alex Gleason | |
| 2023-09-13 | @context: add quoteUrl | Alex Gleason | |
| 2023-09-13 | InstanceView: add "quote_posting" feature | Alex Gleason | |
| 2023-09-13 | Fix typos | Alex Gleason | |
| 2023-09-13 | mix format | Alex Gleason | |
| 2023-09-13 | TransmogrifierTest: prepare an outgoing quote post | Alex Gleason | |
| 2023-09-13 | StatusControllerTest: test creating a quote post | Alex Gleason | |
| 2023-09-13 | BuilderTest: build quote post | Alex Gleason | |
| 2023-09-13 | ActivityDraft: allow quoting | Alex Gleason | |
| 2023-09-13 | ActivityDraft: create quote posts | Alex Gleason | |
| 2023-09-13 | StatusView: render the whole quoted status | Alex Gleason | |
| 2023-09-13 | StatusView: show quoted posts through the API, probably | Alex Gleason | |
| 2023-09-13 | Transmogrifier: fix quoteUrl here too | Alex Gleason | |
| 2023-09-13 | Transmogrifier: fetch quoted post | Alex Gleason | |
| 2023-09-13 | ObjectValidators: improve quoteUrl compatibility | Alex Gleason | |
| 2023-09-13 | Quote post: add fixtures | Alex Gleason | |
| 2023-09-13 | ObjectValidators: accept "quoteUrl" field | Alex Gleason | |
| 2023-09-03 | Merge branch 'check-attachment-attribution' into 'develop' | Haelwenn | |
| Prevent users from attaching other users' attachments See merge request pleroma/pleroma!3947 | |||
| 2023-09-03 | CommonAPI: Prevent users from accessing media of other users | Mint | |
| 2023-08-31 | Merge branch 'tusooa/lint' into 'develop' | Haelwenn | |
| Make lint happy See merge request pleroma/pleroma!3944 | |||
| 2023-08-30 | Skip changelog | tusooa | |
| 2023-08-30 | Make lint happy | tusooa | |
| 2023-08-16 | Merge branch 'csp-flash' into 'develop' | Haelwenn | |
| allow https: so that flash works across instances without need for media proxy See merge request pleroma/pleroma!3879 | |||
| 2023-08-16 | Apply lanodan's suggestion(s) to 1 file(s) | Haelwenn | |
| 2023-08-10 | Merge branch 'fix-dockerfile-perms' into 'develop' | tusooa | |
| Fix config ownership in dockerfile to pass restriction test See merge request pleroma/pleroma!3931 | |||
| 2023-08-08 | Fix config ownership in dockerfile to pass restriction test | Cat pony Black | |
| 2023-08-06 | Merge branch 'disable-xml-entities-completely' into 'develop' | Haelwenn | |
| Completely disable xml entity resolution See merge request pleroma/pleroma!3932 | |||
| 2023-08-05 | Completely disable xml entity resolution | mae | |
| 2023-08-05 | Merge branch 'docs/gentoo-otp-intro' into 'develop' | Haelwenn | |
| gentoo_otp_en.md: Indicate which install method it covers See merge request pleroma/pleroma!3928 | |||
| 2023-08-05 | Merge branch 'mergeback/2.5.4' into 'develop' | Haelwenn | |
| Mergeback: 2.5.4 See merge request pleroma/pleroma!3930 | |||
| 2023-08-05 | Mergeback release 2.5.4 | Haelwenn (lanodan) Monnier | |
| 2023-08-05 | Document and test that XXE processing is disabled | Mark Felder | |
| https://vuln.be/post/xxe-in-erlang-and-elixir/ | |||
| 2023-08-05 | Add unit test for external entity loading | FloatingGhost | |
| 2023-08-04 | Prevent XML parser from loading external entities | Mae | |
| 2023-08-04 | gentoo_otp_en.md: Indicate which install method it covers | Haelwenn (lanodan) Monnier | |
| 2023-08-04 | Merge branch 'mergeback/2.5.3' into 'develop' | Haelwenn | |
| Mergeback: 2.5.3 Closes #3135 See merge request pleroma/pleroma!3927 | |||
| 2023-08-04 | Release 2.5.53 | Haelwenn (lanodan) Monnier | |
| 2023-08-04 | release_runtime_provider_test: chmod config for hardened permissions | Haelwenn (lanodan) Monnier | |
| Git doesn't manages file permissions precisely enough for us. | |||
| 2023-08-04 | changelog: Entry for config permissions restrictions | Haelwenn (lanodan) Monnier | |
| Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3135 | |||
| 2023-08-04 | instance gen: Reduce permissions of pleroma directories and config files | Haelwenn (lanodan) Monnier | |
| 2023-08-04 | Config: Restrict permissions of OTP config file | Haelwenn (lanodan) Monnier | |
| 2023-08-04 | Resolve information disclosure vulnerability through emoji pack archive ↵ | Mark Felder | |
| download endpoint The pack name has been sanitized so an attacker cannot upload a media file called pack.json with their own handcrafted list of emoji files as arbitrary files on the filesystem and then call the emoji pack archive download endpoint with a pack name crafted to the location of the media file they uploaded which tricks Pleroma into generating a zip file of the target files the attacker wants to download. The attack only works if the Pleroma instance does not have the AnonymizeFilename upload filter enabled, which is currently the default. Reported by: graf@poast.org | |||
| 2023-08-03 | Merge branch 'tusooa/3154-attachment-type-check' into 'develop' | Haelwenn | |
| Restrict attachments to only uploaded files only Closes #3154 See merge request pleroma/pleroma!3923 | |||
| 2023-07-28 | Merge branch 'fix/2927-disallow-unauthenticated-access' into 'develop' | tusooa | |
| /api/v1/statuses/:id/context: filter context activities using Visibility.visible_for_user?/2 See merge request pleroma/pleroma!3801 | |||
 |
index : pleroma | |
| Unnamed repository; edit this file 'description' to name the repository. |
| summaryrefslogtreecommitdiff |