Go to file
Mark Felder 2c79509453 Resolve information disclosure vulnerability through emoji pack archive download endpoint
The pack name has been sanitized so an attacker cannot upload a media
file called pack.json with their own handcrafted list of emoji files as
arbitrary files on the filesystem and then call the emoji pack archive
download endpoint with a pack name crafted to the location of the media
file they uploaded which tricks Pleroma into generating a zip file of
the target files the attacker wants to download.

The attack only works if the Pleroma instance does not have the
AnonymizeFilename upload filter enabled, which is currently the default.

Reported by: graf@poast.org
2023-08-04 08:40:27 +02:00
.gitlab Explain changelog.d in merge request templates 2023-04-22 21:02:13 -04:00
benchmarks Merge branch 'benchmark-fixes' into 'develop' 2021-12-09 15:38:26 +00:00
changelog.d Resolve information disclosure vulnerability through emoji pack archive download endpoint 2023-08-04 08:40:27 +02:00
ci Update to Phoenix 1.6 and chase dependencies 2022-11-03 16:13:07 +00:00
config Add emoji policy to remove emojis matching certain urls 2023-07-07 06:58:22 -04:00
docs Make EmojiPolicy aware of custom emoji reactions 2023-07-07 06:58:31 -04:00
installation Merge branch 'tusooa/media-altdomain' into 'develop' 2023-07-02 21:30:16 +00:00
lib Resolve information disclosure vulnerability through emoji pack archive download endpoint 2023-08-04 08:40:27 +02:00
priv Merge branch 'instance-nodeinfo-metadata' into 'develop' 2023-06-27 18:58:04 +00:00
rel Add no_new_privs to OpenRC service files 2023-06-13 12:47:02 +02:00
restarter Bump minimum Elixir version to 1.10 2022-09-02 22:53:54 +02:00
test Resolve information disclosure vulnerability through emoji pack archive download endpoint 2023-08-04 08:40:27 +02:00
tools Do not count for renames when diffing 2023-05-02 22:16:00 -04:00
uploads fix issues with the uploads directory 2019-04-28 06:43:00 +02:00
.buildpacks CI: Add auto-deployment via dokku. 2019-05-31 10:55:35 +02:00
.credo.exs Tell newer Credo it's OK to exit 0 on single with clauses and piping into anonymous functions for now 2022-11-13 18:46:02 -05:00
.dockerignore remove docs/ from .dockerignore 2019-11-20 00:09:07 +09:00
.formatter.exs .formatter.exs: Format optional migrations 2021-01-10 11:28:41 +03:00
.gitattributes [#3112] .gitattributes fix. 2020-12-09 18:43:20 +03:00
.gitignore Test coverage: Switch to covertool to get cobertura output 2022-09-03 05:03:50 +02:00
.gitlab-ci.yml CI: Use CI_JOB_TOKEN for cross-repo pipeline triggers 2023-07-04 03:25:37 +02:00
.mailmap Add myself to .mailmap 2021-02-15 13:19:44 +03:00
AGPL-3 LICENSE → AGPL-3 2019-04-01 00:31:21 +02:00
CC-BY-4.0 Add a copy of CC-BY-4.0 to the repo 2020-09-06 11:38:38 +03:00
CC-BY-SA-4.0 CC-BY-SA-4.0: Add a copy of the CC-BY-SA-4.0 license 2019-04-01 00:30:21 +02:00
CHANGELOG.md Merge branch 'release/2.5.2' into mergeback/2.5.2 2023-05-26 23:47:50 +02:00
COPYING Revert "Merge branch 'copyright-bump' into 'develop'" 2023-01-02 20:38:50 +00:00
coveralls.json exclude file_location check from coveralls 2020-10-13 16:44:01 +03:00
docker-entrypoint.sh allow custom db port 2022-11-11 12:22:21 -03:00
Dockerfile Use self-built elixir image for arm 2023-04-24 20:03:59 -04:00
elixir_buildpack.config Bump minimum Elixir version to 1.10 2022-09-02 22:53:54 +02:00
mix.exs mix: Remove override on plug 2023-06-27 02:38:31 +02:00
mix.lock mix: Remove override on plug 2023-06-27 02:38:31 +02:00
Procfile CI: Add auto-deployment via dokku. 2019-05-31 10:55:35 +02:00
README.md README.md: Update packaging state (GURU, AUR) 2023-06-27 21:13:02 +02:00
SECURITY.md SECURITY.md: update supported versions to only 2.2 2020-10-15 21:45:31 +03:00

About

Pleroma is a microblogging server software that can federate (= exchange messages with) other servers that support ActivityPub. What that means is that you can host a server for yourself or your friends and stay in control of your online identity, but still exchange messages with people on larger servers. Pleroma will federate with all servers that implement ActivityPub, like Friendica, GNU Social, Hubzilla, Mastodon, Misskey, Peertube, and Pixelfed.

Pleroma is written in Elixir and uses PostgresSQL for data storage. It's efficient enough to be ran on low-power devices like Raspberry Pi (though we wouldn't recommend storing the database on the internal SD card ;) but can scale well when ran on more powerful hardware (albeit only single-node for now).

For clients it supports the Mastodon client API with Pleroma extensions (see the API section on https://docs-develop.pleroma.social).

Installation

If you are running Linux (glibc or musl) on x86/arm, the recommended way to install Pleroma is by using OTP releases. OTP releases are as close as you can get to binary releases with Erlang/Elixir. The release is self-contained, and provides everything needed to boot it. The installation instructions are available here.

From Source

If your platform is not supported, or you just want to be able to edit the source code easily, you may install Pleroma from source.

OS/Distro packages

Currently Pleroma is packaged for YunoHost, NixOS, Gentoo through GURU and Archlinux through AUR. You may find more at https://repology.org/project/pleroma/versions.
If you want to package Pleroma for any OS/Distros, we can guide you through the process on our community channels. If you want to change default options in your Pleroma package, please discuss it with us first.

Docker

While we dont provide docker files, other people have written very good ones. Take a look at https://github.com/angristan/docker-pleroma or https://glitch.sh/sn0w/pleroma-docker.

Raspberry Pi

Community maintained Raspberry Pi image that you can flash and run Pleroma on your Raspberry Pi. Available here https://github.com/guysoft/PleromaPi.

Compilation Troubleshooting

If you ever encounter compilation issues during the updating of Pleroma, you can try these commands and see if they fix things:

  • mix deps.clean --all
  • mix local.rebar
  • mix local.hex
  • rm -r _build

If you are not developing Pleroma, it is better to use the OTP release, which comes with everything precompiled.

Documentation

Community Channels