pleroma

Author	SHA1	Message	Date
Alex Gleason	0d9c443e51	StatusView: render the whole quoted status	2023-09-13 19:19:03 -04:00
Alex Gleason	ce5eb31723	StatusView: show quoted posts through the API, probably	2023-09-13 19:19:03 -04:00
Alex Gleason	cc4badaf60	Transmogrifier: fix quoteUrl here too	2023-09-13 19:19:03 -04:00
Alex Gleason	b022d6635d	Transmogrifier: fetch quoted post	2023-09-13 19:19:03 -04:00
Alex Gleason	795736af16	ObjectValidators: improve quoteUrl compatibility	2023-09-13 19:19:03 -04:00
Alex Gleason	31eb3dc245	ObjectValidators: accept "quoteUrl" field	2023-09-13 19:19:02 -04:00
Mint	1afde067b1	CommonAPI: Prevent users from accessing media of other users	2023-09-03 10:41:37 +02:00
tusooa	3d09bc320e	Make lint happy	2023-08-30 20:36:52 -04:00
Haelwenn	1e685c8302	Merge branch 'csp-flash' into 'develop' allow https: so that flash works across instances without need for media proxy See merge request pleroma/pleroma!3879	2023-08-16 13:37:49 +00:00
Haelwenn	d838d1990b	Apply lanodan's suggestion(s) to 1 file(s)	2023-08-16 13:34:32 +00:00
mae	48b1e9bdc7	Completely disable xml entity resolution	2023-08-05 14:17:04 +02:00
Mae	ca0859b90f	Prevent XML parser from loading external entities	2023-08-04 22:35:13 -04:00
Haelwenn (lanodan) Monnier	69caedc591	instance gen: Reduce permissions of pleroma directories and config files	2023-08-04 09:50:28 +02:00
Haelwenn (lanodan) Monnier	8cc8100120	Config: Restrict permissions of OTP config file	2023-08-04 09:50:28 +02:00
Mark Felder	2c79509453	Resolve information disclosure vulnerability through emoji pack archive download endpoint The pack name has been sanitized so an attacker cannot upload a media file called pack.json with their own handcrafted list of emoji files as arbitrary files on the filesystem and then call the emoji pack archive download endpoint with a pack name crafted to the location of the media file they uploaded which tricks Pleroma into generating a zip file of the target files the attacker wants to download. The attack only works if the Pleroma instance does not have the AnonymizeFilename upload filter enabled, which is currently the default. Reported by: graf@poast.org	2023-08-04 08:40:27 +02:00
Haelwenn	819fccb7d1	Merge branch 'tusooa/3154-attachment-type-check' into 'develop' Restrict attachments to only uploaded files only Closes #3154 See merge request pleroma/pleroma!3923	2023-08-03 10:01:32 +00:00
Faried Nawaz	e5e76ec445	cleaner ecto query to handle restrict_unauthenticated for activities This fix is for this case: config :pleroma, :restrict_unauthenticated, activities: %{local: true, remote: true}	2023-07-28 18:45:59 +05:00
faried nawaz	dc4de79d43	status context: perform visibility check on activities around a status issue #2927	2023-07-28 18:45:59 +05:00
tusooa	ea4225a646	Restrict attachments to only uploaded files only	2023-07-18 18:39:59 -04:00
Haelwenn	93ad16cca0	Merge branch '2023-06-deps-update' into 'develop' 2023-06 deps update + de-override plug See merge request pleroma/pleroma!3911	2023-07-17 20:37:47 +00:00
tusooa	1459d64508	Make regex-to-string descriptor reusable	2023-07-07 07:09:35 -04:00
tusooa	ba3aa4f86d	Fix edge cases	2023-07-07 06:58:32 -04:00
tusooa	ef8a6c539a	Make EmojiPolicy aware of custom emoji reactions	2023-07-07 06:58:31 -04:00
tusooa	20d193c91d	Improve config examples for EmojiPolicy	2023-07-07 06:58:31 -04:00
tusooa	f50422c380	Move emoji_policy.ex to the right place	2023-07-07 06:58:31 -04:00
tusooa	7eb8abf7bb	EmojiPolicy: Implement delist	2023-07-07 06:58:31 -04:00
tusooa	80ce6482f6	EmojiPolicy: implement remove by shortcode	2023-07-07 06:58:31 -04:00
tusooa	28ff828caa	Add emoji policy to remove emojis matching certain urls https://git.pleroma.social/pleroma/pleroma/-/issues/2775	2023-07-07 06:58:22 -04:00
Haelwenn (lanodan) Monnier	3d79ceb23a	Deprecate audio scrobbling	2023-07-04 03:40:11 +02:00
Haelwenn	a31a4c522f	Merge branch 'tusooa/3131-handle-report-from-deactivated-user' into 'develop' Fix handling report from a deactivated user Closes #3131 See merge request pleroma/pleroma!3915	2023-07-02 21:27:15 +00:00
tusooa	6e4de2383f	Fix handling report from a deactivated user	2023-07-02 11:15:34 -04:00
tusooa	a1621839cc	Fix user fetch completely broken if featured collection is not in a supported form	2023-07-02 11:03:09 -04:00
tusooa	48e490cd58	Merge branch 'bugfix/full-revert-media-host-validation' into 'develop' Merge Revert "Merge branch 'validate-host' into 'develop'" Closes #3136 See merge request pleroma/pleroma!3909	2023-07-01 21:54:18 +00:00
Haelwenn	043a00991d	Merge branch 'instance-nodeinfo-metadata' into 'develop' instances: Store some metadata based on NodeInfo See merge request pleroma/pleroma!3853	2023-06-27 18:58:04 +00:00
Haelwenn	ae0ca49451	Merge branch 'tusooa/3119-bio-update' into 'develop' Show more informative errors when profile exceeds char limits Closes #3119 See merge request pleroma/pleroma!3886	2023-06-27 18:49:43 +00:00
Haelwenn	41f2ee69a8	Merge branch 'from/upstream-develop/tusooa/backup-status' into 'develop' Detail backup states Closes #3024 See merge request pleroma/pleroma!3809	2023-06-27 12:08:11 +00:00
Haelwenn (lanodan) Monnier	d7e049d5e8	router: Fix usage of globs warning: doing a prefix match with globs is deprecated, invalid segment "pleromapath". You can either replace by a single segment match: /foo/bar-:var Or by mixing single segment match with globs: /foo/bar-:var/rest	2023-06-27 10:42:10 +02:00
Haelwenn (lanodan) Monnier	3a67b8f287	endpoint: Use custom Multipart module for dynamic configuration	2023-06-27 10:41:25 +02:00
Haelwenn (lanodan) Monnier	dd9f8150fc	Merge Revert "Merge branch 'validate-host' into 'develop'" This reverts commit `d998a114e2`, reversing changes made to `da6b4003ac`.	2023-06-22 21:28:25 +02:00
Sean King	a5a354a36e	Prevent bypassing authorized fetch mode with a json file	2023-06-21 23:10:56 -06:00
lain	4e6ea7cc91	Merge branch 'tusooa/3054-banned-delete' into 'develop' Fix deleting banned users' statuses See merge request pleroma/pleroma!3889	2023-06-11 13:17:12 +00:00
Lain Soykaf	6611c6ce4e	B ForceMentionsInContent: Fix test, refactor.	2023-06-11 16:45:31 +04:00
Lain Soykaf	55dd8ef1c7	Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into pleroma-double_mentions	2023-06-11 16:31:20 +04:00
lain	16313af7eb	Merge branch 'fix/metadata-tags' into 'develop' static frontend: fix meta tags See merge request pleroma/pleroma!3885	2023-06-11 11:57:16 +00:00
lain	1f4618d64b	Merge branch 'cleanup/ostatus-user-upgrade' into 'develop' Cleanup OStatus-era user upgrades and ap_enabled indicator See merge request pleroma/pleroma!3880	2023-06-11 11:13:57 +00:00
feld	75900f21f0	Merge branch 'revert-mediaproxy-host-validation' into 'develop' Revert MediaProxy Host header validation See merge request pleroma/pleroma!3902	2023-06-11 11:10:51 +00:00
lain	1db29f734f	Merge branch 'fep-fffd-url' into 'develop' CommonFields: Use BareUri for :url Closes #3121 See merge request pleroma/pleroma!3884	2023-06-11 11:02:39 +00:00
Mark Felder	fadcd7f1a9	Revert MediaProxy Host header validation Something is going wrong here even though the tests are correct.	2023-06-07 09:19:22 -04:00
Lain Soykaf	cbc5b8cebd	B Preload: Make sure that the preloaded json is html safe	2023-06-02 17:03:21 +04:00
Haelwenn	d998a114e2	Merge branch 'validate-host' into 'develop' Validate Host header for MediaProxy and Uploads See merge request pleroma/pleroma!3896	2023-05-31 00:50:01 +00:00
Mark Felder	b3c3bd99c3	Switch from serving a 400 to a 302	2023-05-30 16:56:09 -04:00
Mark Felder	9caa0b0be1	Add OnlyMedia Upload Filter to simplify restricting uploads to audio, image, and video types	2023-05-29 15:49:04 -04:00
Mark Felder	da7394f33b	Fix unused assignment	2023-05-29 15:09:31 -04:00
Mark Felder	a60dd0d92d	Validate Host header matches expected value before allowing access to Uploads	2023-05-29 14:16:03 -04:00
Mark Felder	843fcca5b4	Validate Host header matches expected value before allowing access to MediaProxy	2023-05-29 13:59:51 -04:00
faried nawaz	8b390d27dc	twitter card: handle case where image has no alt text	2023-05-29 02:52:49 +05:00
faried nawaz	52368e6702	fix meta tag for twitter cards and image attachments The name of the tag should be twitter:image, not twitter:player. Also, add twitter:image:alt meta tags.	2023-05-29 02:52:49 +05:00
faried nawaz	b6b7de2010	add url to Metadata.build_tags call If static_fe is enabled, going to https://pleroma/notice/some-id results in <meta content="https://pleroma/users/someuser" property="og:url"> With this fix, it is <meta content="https://pleroma/notice/some-id" property="og:url"> Additionally, Pleroma.Web.Metadata.Providers.OpenGraph now generates meta tags for attachments in the post.	2023-05-29 02:52:41 +05:00
Haelwenn (lanodan) Monnier	869f0d24a6	Merge branch 'release/2.5.2' into mergeback/2.5.2	2023-05-26 23:47:50 +02:00
Mark Felder	4505bc1e58	Filter OEmbed HTML tags	2023-05-26 19:56:36 +02:00
Mark Felder	0d68804aa7	Filter OEmbed HTML tags	2023-05-26 19:54:24 +02:00
tusooa	d0c2e0830b	Enforce unauth restrictions for public streaming endpoints	2023-05-26 19:24:08 +02:00
Haelwenn	b36263e5ff	Merge branch 'issue/3126' into 'develop' MediaProxyController: Apply CSP sandbox See merge request pleroma/pleroma!3890	2023-05-26 19:24:08 +02:00
Haelwenn	4339230f64	Merge branch 'tusooa/fix-object-test' into 'develop' Fix ObjectTest See merge request pleroma/pleroma!3887	2023-05-26 19:24:08 +02:00
Haelwenn	72833c84b5	Merge branch 'tusooa/rework-refetch' into 'develop' Make sure object refetching follows update rules See merge request pleroma/pleroma!3883	2023-05-26 19:24:08 +02:00
Mark Felder	38bcf6b19e	MediaProxyController: Apply CSP sandbox	2023-05-26 12:34:01 -04:00
Zero	279fd47b48	ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts The code checked for duplicates using "ap_id", but in Mastodon and Misskey the look like that: Mastodon: https://mastodon.example.com/users/roger Misskey: https:///misskey.example.com/users/104ab42f11 The fix is to also check for "uri", which is what will be in the "explicitly_mentioned_uris" list: Mastodon: https://mastodon.example.com/@roger Misskey: https://misskey.example.com/@roger	2023-05-26 12:30:19 -04:00
tusooa	1fa196d8f7	Fix deleting banned users' statuses	2023-05-25 19:00:38 -04:00
tusooa	2c66f584b5	Show more informative errors when profile exceeds char limits	2023-05-25 08:22:33 -04:00
tusooa	819a82da99	Fix unused variable	2023-05-22 08:19:58 -04:00
tusooa	505e58d4eb	Fix ObjectTest	2023-05-22 08:14:20 -04:00
Haelwenn	0524e66a05	Merge branch 'accept-tags-2.5' into 'develop' TagValidator: Drop unrecognized Tag types Closes #2952 See merge request pleroma/pleroma!3823	2023-05-17 19:04:51 +00:00
Haelwenn	ce1c0f75cd	Merge branch 'tusooa/3065-scopes' into 'develop' OAuth scopes descriptions Closes #3065 See merge request pleroma/pleroma!3848	2023-05-17 18:51:26 +00:00
Haelwenn (lanodan) Monnier	a5066bb078	CommonFields: Use BareUri for :url Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3121	2023-05-17 17:25:46 +02:00
Haelwenn (lanodan) Monnier	fb3335ffe2	EctoType: Add BareUri	2023-05-17 17:14:38 +02:00
tusooa	e170fc40dd	Fix build warning	2023-05-09 21:38:28 -04:00
tusooa	be5c5118cb	Make sure object refetching follows update rules	2023-05-09 21:04:27 -04:00
Henry Jameson	2a07411b0c	keep the websocket url for all modes	2023-05-07 15:34:17 +03:00
Henry Jameson	f50fd9278f	reduce redundant reduntancy reduction	2023-05-07 15:29:19 +03:00
Henry Jameson	f8ef4924ec	fix whitespace	2023-05-07 15:24:09 +03:00
Henry Jameson	c0d11da2d8	conditionally set csp depnding on media-proxy state	2023-05-07 15:16:30 +03:00
Haelwenn (lanodan) Monnier	fcd49e3985	User: Remove ap_enabled field	2023-05-05 11:11:26 +02:00
Haelwenn (lanodan) Monnier	238edc30de	User: Remove ap_enabled?/1	2023-05-05 11:11:26 +02:00
Haelwenn (lanodan) Monnier	9dfa1c4be0	ActivityPub: Mark fetch_and_prepare_user_from_ap_id/1 as private	2023-05-05 11:11:26 +02:00
Haelwenn (lanodan) Monnier	8181be89a2	Federator: Stop using ap_enabled?/1	2023-05-05 11:11:26 +02:00
Haelwenn (lanodan) Monnier	e17265a7a2	TransmogrifierWorker: Remove obsolete worker	2023-05-05 11:11:26 +02:00
Haelwenn (lanodan) Monnier	2ee483ba41	Transmogrifier: Remove upgrade_user_from_ap_id	2023-05-05 11:11:26 +02:00
Haelwenn (lanodan) Monnier	3962253cf1	Publisher: Stop filtering via ap_enabled?/1	2023-05-05 11:11:26 +02:00
Haelwenn (lanodan) Monnier	606f78f5e5	ActivityPub: Stop relying on ap_enabled and upgrade_user_from_ap_id	2023-05-05 11:11:26 +02:00
Haelwenn (lanodan) Monnier	0903c41645	User: Stop relying on ap_enabled	2023-05-05 11:11:26 +02:00
Haelwenn (lanodan) Monnier	4fd96b24ae	AddRemoveValidator: Use User.fetch_by_ap_id instead of upgrade_user_from_ap_id	2023-05-05 11:11:26 +02:00
tusooa	6d0ebccdb0	Make webui use translated scope descriptions	2023-05-02 16:32:33 -04:00
tusooa	85bdbb102e	Add extraction process for oauth scopes	2023-05-02 16:32:10 -04:00
HJ	675639225a	allow https: so that flash works across instances without need for media proxy	2023-04-28 11:13:42 +00:00
tusooa	248f914e6e	Merge branch 'list-installed-frontends' into 'develop' List installed frontend refs in admin API See merge request pleroma/pleroma!3862	2023-04-27 02:56:19 +00:00
tusooa	ddf57596be	Merge branch 'bugfix/content-disposition' into 'develop' UploadedMedia: Add missing disposition_type to Content-Disposition Closes #3114 See merge request pleroma/pleroma!3873	2023-04-26 15:39:20 +00:00
duponin	0231a09310	Remove SSH/BBS feature from core And link to sshocial, the replacement client for this removed feature	2023-04-23 10:47:07 +02:00
Haelwenn (lanodan) Monnier	2148ef5e2f	UploadedMedia: Increase readability via ~s sigil	2023-04-18 00:12:42 +02:00
Haelwenn (lanodan) Monnier	8f0f58e28b	UploadedMedia: Add missing disposition_type to Content-Disposition Set it to `inline` because the vast majority of what's sent is multimedia content while `attachment` would have the side-effect of triggering a download dialog. Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3114	2023-04-18 00:09:19 +02:00
Haelwenn	3867b52aef	Merge branch 'tusooa/3027-dedupe-poll' into 'develop' Dedupe poll options Closes #3027 See merge request pleroma/pleroma!3860	2023-04-13 08:40:04 +00:00

1 2 3 4 5 ...

9104 Commits