summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-08-11Implement api/v2/instance routemarcin mikołajczak
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2023-08-10Merge branch 'fix-dockerfile-perms' into 'develop'tusooa
Fix config ownership in dockerfile to pass restriction test See merge request pleroma/pleroma!3931
2023-08-08Fix config ownership in dockerfile to pass restriction testCat pony Black
2023-08-06Merge branch 'disable-xml-entities-completely' into 'develop'Haelwenn
Completely disable xml entity resolution See merge request pleroma/pleroma!3932
2023-08-05Completely disable xml entity resolutionmae
2023-08-05Merge branch 'docs/gentoo-otp-intro' into 'develop'Haelwenn
gentoo_otp_en.md: Indicate which install method it covers See merge request pleroma/pleroma!3928
2023-08-05Merge branch 'mergeback/2.5.4' into 'develop'Haelwenn
Mergeback: 2.5.4 See merge request pleroma/pleroma!3930
2023-08-05Mergeback release 2.5.4Haelwenn (lanodan) Monnier
2023-08-05Document and test that XXE processing is disabledMark Felder
https://vuln.be/post/xxe-in-erlang-and-elixir/
2023-08-05Add unit test for external entity loadingFloatingGhost
2023-08-04Prevent XML parser from loading external entitiesMae
2023-08-04gentoo_otp_en.md: Indicate which install method it coversHaelwenn (lanodan) Monnier
2023-08-04Merge branch 'mergeback/2.5.3' into 'develop'Haelwenn
Mergeback: 2.5.3 Closes #3135 See merge request pleroma/pleroma!3927
2023-08-04Release 2.5.53Haelwenn (lanodan) Monnier
2023-08-04release_runtime_provider_test: chmod config for hardened permissionsHaelwenn (lanodan) Monnier
Git doesn't manages file permissions precisely enough for us.
2023-08-04changelog: Entry for config permissions restrictionsHaelwenn (lanodan) Monnier
Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3135
2023-08-04instance gen: Reduce permissions of pleroma directories and config filesHaelwenn (lanodan) Monnier
2023-08-04Config: Restrict permissions of OTP config fileHaelwenn (lanodan) Monnier
2023-08-04Resolve information disclosure vulnerability through emoji pack archive ↵Mark Felder
download endpoint The pack name has been sanitized so an attacker cannot upload a media file called pack.json with their own handcrafted list of emoji files as arbitrary files on the filesystem and then call the emoji pack archive download endpoint with a pack name crafted to the location of the media file they uploaded which tricks Pleroma into generating a zip file of the target files the attacker wants to download. The attack only works if the Pleroma instance does not have the AnonymizeFilename upload filter enabled, which is currently the default. Reported by: graf@poast.org
2023-08-03Merge branch 'tusooa/3154-attachment-type-check' into 'develop'Haelwenn
Restrict attachments to only uploaded files only Closes #3154 See merge request pleroma/pleroma!3923
2023-07-28Merge branch 'fix/2927-disallow-unauthenticated-access' into 'develop'tusooa
/api/v1/statuses/:id/context: filter context activities using Visibility.visible_for_user?/2 See merge request pleroma/pleroma!3801
2023-07-28add changelog entryfaried nawaz
2023-07-28cleaner ecto query to handle restrict_unauthenticated for activitiesFaried Nawaz
This fix is for this case: config :pleroma, :restrict_unauthenticated, activities: %{local: true, remote: true}
2023-07-28status context: perform visibility check on activities around a statusfaried nawaz
issue #2927
2023-07-18Restrict attachments to only uploaded files onlytusooa
2023-07-17Merge branch '2023-06-deps-update' into 'develop'Haelwenn
2023-06 deps update + de-override plug See merge request pleroma/pleroma!3911
2023-07-07Merge branch 'tusooa/2775-emoji-policy' into 'develop'Haelwenn
EmojiPolicy Closes #2775 See merge request pleroma/pleroma!3842
2023-07-07Make regex-to-string descriptor reusabletusooa
2023-07-07Fix edge casestusooa
2023-07-07Add changelogtusooa
2023-07-07Test that unicode emoji reactions are not affectedtusooa
2023-07-07Make EmojiPolicy aware of custom emoji reactionstusooa
2023-07-07Improve config examples for EmojiPolicytusooa
2023-07-07Update config cheatsheettusooa
2023-07-07Move emoji_policy.ex to the right placetusooa
2023-07-07EmojiPolicy: Implement delisttusooa
2023-07-07EmojiPolicy: implement remove by shortcodetusooa
2023-07-07Add emoji policy to remove emojis matching certain urlstusooa
https://git.pleroma.social/pleroma/pleroma/-/issues/2775
2023-07-04Merge branch 'deprecate-scrobbles' into 'develop'tusooa
Deprecate audio scrobbling See merge request pleroma/pleroma!3919
2023-07-04Merge branch 'hotfix/docs-broken-links' into 'develop'Haelwenn
docs: Fix broken links See merge request pleroma/pleroma!3920
2023-07-04docs: Fix broken linksHaelwenn (lanodan) Monnier
2023-07-04Merge branch 'fix/pipeline-triggers' into 'develop'Haelwenn
CI: Fix pipeline tokens & exit status See merge request pleroma/pleroma!3918
2023-07-04Deprecate audio scrobblingHaelwenn (lanodan) Monnier
2023-07-04CI: Use CI_JOB_TOKEN for cross-repo pipeline triggersHaelwenn (lanodan) Monnier
2023-07-04CI: Let curl return non-0 on http failure codeHaelwenn (lanodan) Monnier
Otherwise it silently fails
2023-07-03Merge branch 'gentoo_otp' into 'develop'Haelwenn
Packaged installation guide for gentoo See merge request pleroma/pleroma!3906
2023-07-02Merge branch 'tusooa/media-altdomain' into 'develop'Haelwenn
Add instructions to serve media on another domain See merge request pleroma/pleroma!3892
2023-07-02Merge branch 'testfix/system-config-use' into 'develop'Haelwenn
release_runtime_provider_test: Explicitely use non-existant config file See merge request pleroma/pleroma!3910
2023-07-02Merge branch 'tusooa/3131-handle-report-from-deactivated-user' into 'develop'Haelwenn
Fix handling report from a deactivated user Closes #3131 See merge request pleroma/pleroma!3915
2023-07-02Merge branch 'tusooa/3142-featured-collection-shouldnt-break-user-fetch' ↵Haelwenn
into 'develop' Fix user fetch completely broken if featured collection is not in a supported form See merge request pleroma/pleroma!3914