Age | Commit message (Collapse) | Author | |
---|---|---|---|
2023-09-13 | ActivityDraft: allow quoting | Alex Gleason | |
2023-09-13 | ActivityDraft: create quote posts | Alex Gleason | |
2023-09-13 | StatusView: render the whole quoted status | Alex Gleason | |
2023-09-13 | StatusView: show quoted posts through the API, probably | Alex Gleason | |
2023-09-13 | Transmogrifier: fix quoteUrl here too | Alex Gleason | |
2023-09-13 | Transmogrifier: fetch quoted post | Alex Gleason | |
2023-09-13 | ObjectValidators: improve quoteUrl compatibility | Alex Gleason | |
2023-09-13 | Quote post: add fixtures | Alex Gleason | |
2023-09-13 | ObjectValidators: accept "quoteUrl" field | Alex Gleason | |
2023-09-03 | Merge branch 'release/2.5.5' into 'stable' | Haelwenn | |
Release 2.5.5 See merge request pleroma/pleroma!3949 | |||
2023-09-03 | mix: version 2.5.5 | Haelwenn (lanodan) Monnier | |
2023-09-03 | CommonAPI: Prevent users from accessing media of other users | Mint | |
commit 1afde067b12ad0062c1820091ea9b0a680819281 upstream. | |||
2023-09-03 | Merge branch 'check-attachment-attribution' into 'develop' | Haelwenn | |
Prevent users from attaching other users' attachments See merge request pleroma/pleroma!3947 | |||
2023-09-03 | CommonAPI: Prevent users from accessing media of other users | Mint | |
2023-08-31 | Merge branch 'tusooa/lint' into 'develop' | Haelwenn | |
Make lint happy See merge request pleroma/pleroma!3944 | |||
2023-08-30 | Skip changelog | tusooa | |
2023-08-30 | Make lint happy | tusooa | |
2023-08-16 | Merge branch 'csp-flash' into 'develop' | Haelwenn | |
allow https: so that flash works across instances without need for media proxy See merge request pleroma/pleroma!3879 | |||
2023-08-16 | Apply lanodan's suggestion(s) to 1 file(s) | Haelwenn | |
2023-08-10 | Merge branch 'fix-dockerfile-perms' into 'develop' | tusooa | |
Fix config ownership in dockerfile to pass restriction test See merge request pleroma/pleroma!3931 | |||
2023-08-08 | Fix config ownership in dockerfile to pass restriction test | Cat pony Black | |
2023-08-06 | Merge branch 'disable-xml-entities-completely' into 'develop' | Haelwenn | |
Completely disable xml entity resolution See merge request pleroma/pleroma!3932 | |||
2023-08-05 | Completely disable xml entity resolution | mae | |
2023-08-05 | Merge branch 'docs/gentoo-otp-intro' into 'develop' | Haelwenn | |
gentoo_otp_en.md: Indicate which install method it covers See merge request pleroma/pleroma!3928 | |||
2023-08-05 | Merge branch 'mergeback/2.5.4' into 'develop' | Haelwenn | |
Mergeback: 2.5.4 See merge request pleroma/pleroma!3930 | |||
2023-08-05 | Merge branch 'releases/2.5.4' into 'stable' | Haelwenn | |
Release 2.5.4 See merge request pleroma/pleroma!3929 | |||
2023-08-05 | Mergeback release 2.5.4 | Haelwenn (lanodan) Monnier | |
2023-08-05 | Release 2.5.4 | Haelwenn (lanodan) Monnier | |
2023-08-05 | Document and test that XXE processing is disabled | Mark Felder | |
https://vuln.be/post/xxe-in-erlang-and-elixir/ | |||
2023-08-05 | Add unit test for external entity loading | FloatingGhost | |
2023-08-05 | Prevent XML parser from loading external entities | Mae | |
2023-08-05 | Document and test that XXE processing is disabled | Mark Felder | |
https://vuln.be/post/xxe-in-erlang-and-elixir/ | |||
2023-08-05 | Add unit test for external entity loading | FloatingGhost | |
2023-08-04 | Prevent XML parser from loading external entities | Mae | |
2023-08-04 | gentoo_otp_en.md: Indicate which install method it covers | Haelwenn (lanodan) Monnier | |
2023-08-04 | Merge branch 'release/2.5.3' into 'stable' | Haelwenn | |
Release 2.5.3 See merge request pleroma/pleroma!3926 | |||
2023-08-04 | Merge branch 'mergeback/2.5.3' into 'develop' | Haelwenn | |
Mergeback: 2.5.3 Closes #3135 See merge request pleroma/pleroma!3927 | |||
2023-08-04 | Release 2.5.53 | Haelwenn (lanodan) Monnier | |
2023-08-04 | release_runtime_provider_test: chmod config for hardened permissions | Haelwenn (lanodan) Monnier | |
Git doesn't manages file permissions precisely enough for us. | |||
2023-08-04 | changelog: Entry for config permissions restrictions | Haelwenn (lanodan) Monnier | |
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3135 | |||
2023-08-04 | instance gen: Reduce permissions of pleroma directories and config files | Haelwenn (lanodan) Monnier | |
2023-08-04 | Config: Restrict permissions of OTP config file | Haelwenn (lanodan) Monnier | |
2023-08-04 | Release 2.5.3 | Haelwenn (lanodan) Monnier | |
2023-08-04 | test: Fix warnings | Haelwenn (lanodan) Monnier | |
2023-08-04 | Force the use of amd64 runners for jobs using ci-base | Haelwenn (lanodan) Monnier | |
2023-08-04 | release_runtime_provider_test: chmod config for hardened permissions | Haelwenn (lanodan) Monnier | |
Git doesn't manages file permissions precisely enough for us. | |||
2023-08-04 | changelog: Entry for config permissions restrictions | Haelwenn (lanodan) Monnier | |
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3135 | |||
2023-08-04 | instance gen: Reduce permissions of pleroma directories and config files | Haelwenn (lanodan) Monnier | |
2023-08-04 | Config: Restrict permissions of OTP config file | Haelwenn (lanodan) Monnier | |
2023-08-04 | Resolve information disclosure vulnerability through emoji pack archive ↵ | Mark Felder | |
download endpoint The pack name has been sanitized so an attacker cannot upload a media file called pack.json with their own handcrafted list of emoji files as arbitrary files on the filesystem and then call the emoji pack archive download endpoint with a pack name crafted to the location of the media file they uploaded which tricks Pleroma into generating a zip file of the target files the attacker wants to download. The attack only works if the Pleroma instance does not have the AnonymizeFilename upload filter enabled, which is currently the default. Reported by: graf@poast.org |