summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-09-13StatusView: fix quote visibilityAlex Gleason
2023-09-13CommonAPI: disallow quoting private posts through the APIAlex Gleason
2023-09-13Add InlineQuotePolicy to force quote URLs inlineAlex Gleason
2023-09-13Scrubber.Default: allow span.quote-inline for quote post compatibilityAlex Gleason
2023-09-13ActivityDraft: mix format, defensive actor IDAlex Gleason
2023-09-13ActivityDraft: mention the OP of a quoted postAlex Gleason
2023-09-13Return quote_url through the API, don't render quotes more than 1 level deepAlex Gleason
2023-09-13@context: add quoteUrlAlex Gleason
2023-09-13InstanceView: add "quote_posting" featureAlex Gleason
2023-09-13Fix typosAlex Gleason
2023-09-13mix formatAlex Gleason
2023-09-13TransmogrifierTest: prepare an outgoing quote postAlex Gleason
2023-09-13StatusControllerTest: test creating a quote postAlex Gleason
2023-09-13BuilderTest: build quote postAlex Gleason
2023-09-13ActivityDraft: allow quotingAlex Gleason
2023-09-13ActivityDraft: create quote postsAlex Gleason
2023-09-13StatusView: render the whole quoted statusAlex Gleason
2023-09-13StatusView: show quoted posts through the API, probablyAlex Gleason
2023-09-13Transmogrifier: fix quoteUrl here tooAlex Gleason
2023-09-13Transmogrifier: fetch quoted postAlex Gleason
2023-09-13ObjectValidators: improve quoteUrl compatibilityAlex Gleason
2023-09-13Quote post: add fixturesAlex Gleason
2023-09-13ObjectValidators: accept "quoteUrl" fieldAlex Gleason
2023-09-03Merge branch 'check-attachment-attribution' into 'develop'Haelwenn
Prevent users from attaching other users' attachments See merge request pleroma/pleroma!3947
2023-09-03CommonAPI: Prevent users from accessing media of other usersMint
2023-08-31Merge branch 'tusooa/lint' into 'develop'Haelwenn
Make lint happy See merge request pleroma/pleroma!3944
2023-08-30Skip changelogtusooa
2023-08-30Make lint happytusooa
2023-08-16Merge branch 'csp-flash' into 'develop'Haelwenn
allow https: so that flash works across instances without need for media proxy See merge request pleroma/pleroma!3879
2023-08-16Apply lanodan's suggestion(s) to 1 file(s)Haelwenn
2023-08-10Merge branch 'fix-dockerfile-perms' into 'develop'tusooa
Fix config ownership in dockerfile to pass restriction test See merge request pleroma/pleroma!3931
2023-08-08Fix config ownership in dockerfile to pass restriction testCat pony Black
2023-08-06Merge branch 'disable-xml-entities-completely' into 'develop'Haelwenn
Completely disable xml entity resolution See merge request pleroma/pleroma!3932
2023-08-05Completely disable xml entity resolutionmae
2023-08-05Merge branch 'docs/gentoo-otp-intro' into 'develop'Haelwenn
gentoo_otp_en.md: Indicate which install method it covers See merge request pleroma/pleroma!3928
2023-08-05Merge branch 'mergeback/2.5.4' into 'develop'Haelwenn
Mergeback: 2.5.4 See merge request pleroma/pleroma!3930
2023-08-05Mergeback release 2.5.4Haelwenn (lanodan) Monnier
2023-08-05Document and test that XXE processing is disabledMark Felder
https://vuln.be/post/xxe-in-erlang-and-elixir/
2023-08-05Add unit test for external entity loadingFloatingGhost
2023-08-04Prevent XML parser from loading external entitiesMae
2023-08-04gentoo_otp_en.md: Indicate which install method it coversHaelwenn (lanodan) Monnier
2023-08-04Merge branch 'mergeback/2.5.3' into 'develop'Haelwenn
Mergeback: 2.5.3 Closes #3135 See merge request pleroma/pleroma!3927
2023-08-04Release 2.5.53Haelwenn (lanodan) Monnier
2023-08-04release_runtime_provider_test: chmod config for hardened permissionsHaelwenn (lanodan) Monnier
Git doesn't manages file permissions precisely enough for us.
2023-08-04changelog: Entry for config permissions restrictionsHaelwenn (lanodan) Monnier
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3135
2023-08-04instance gen: Reduce permissions of pleroma directories and config filesHaelwenn (lanodan) Monnier
2023-08-04Config: Restrict permissions of OTP config fileHaelwenn (lanodan) Monnier
2023-08-04Resolve information disclosure vulnerability through emoji pack archive ↵Mark Felder
download endpoint The pack name has been sanitized so an attacker cannot upload a media file called pack.json with their own handcrafted list of emoji files as arbitrary files on the filesystem and then call the emoji pack archive download endpoint with a pack name crafted to the location of the media file they uploaded which tricks Pleroma into generating a zip file of the target files the attacker wants to download. The attack only works if the Pleroma instance does not have the AnonymizeFilename upload filter enabled, which is currently the default. Reported by: graf@poast.org
2023-08-03Merge branch 'tusooa/3154-attachment-type-check' into 'develop'Haelwenn
Restrict attachments to only uploaded files only Closes #3154 See merge request pleroma/pleroma!3923
2023-07-28Merge branch 'fix/2927-disallow-unauthenticated-access' into 'develop'tusooa
/api/v1/statuses/:id/context: filter context activities using Visibility.visible_for_user?/2 See merge request pleroma/pleroma!3801