Commit graph

11 commits

Author SHA1 Message Date
Oneric
0ec62acb9d Always insert Dedupe upload filter
This actually was already intended before to eradict all future
path-traversal-style exploits and to fix issues with some
characters like akkoma#610 in 0b2ec0ccee. However, Dedupe and
AnonymizeFilename got mixed up. The latter only anonymises the name
in Content-Disposition headers GET parameters (with link_name),
_not_ the upload path.

Even without Dedupe, the upload path is prefixed by an UUID,
so it _should_ already be hard to guess for attackers. But now
we actually can be sure no path shenanigangs occur, uploads
reliably work and save some disk space.

While this makes the final path predictable, this prediction is
not exploitable. Insertion of a back-reference to the upload
itself requires pulling off a successfull preimage attack against
SHA-256, which is deemed infeasible for the foreseeable futures.

Dedupe was already included in the default list in config.exs
since 28cfb2c37a, but this will get overridde by whatever the
config generated by the "pleroma.instance gen" task chose.

Upload+delete tests running in parallel using Dedupe might be flaky, but
this was already true before and needs its own commit to fix eventually.
2024-03-18 22:33:10 -01:00
Ivan Tashkinov
2634a16b4c Merge remote-tracking branch 'remotes/origin/develop' into feature/object-hashtags-rework
# Conflicts:
#	CHANGELOG.md
2021-01-21 20:20:35 +03:00
feld
2926713fe5 Merge branch 'deprecate-public_endpoint' into 'develop'
Deprecate Uploaders.S3, :public_endpoint

See merge request pleroma/pleroma!3251
2021-01-20 22:48:48 +00:00
Ivan Tashkinov
3f88e33a71 [#3251] Fixed wrong test-env config setting for [Pleroma.Upload]. Refactoring. Added warning to clear_config/_ to minimize such issues in future. 2021-01-16 23:05:31 +03:00
Ivan Tashkinov
e350898828 Merge remote-tracking branch 'remotes/origin/develop' into feature/object-hashtags-rework 2021-01-13 22:11:16 +03:00
Haelwenn (lanodan) Monnier
c4439c630f
Bump Copyright to 2021
grep -rl '# Copyright © .* Pleroma' * | xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>;'
2021-01-13 07:49:50 +01:00
lain
e1e7e4d379 Object: Rework how Object.normalize works
Now it defaults to not fetching, and the option is named.
2021-01-04 13:38:31 +01:00
Ivan Tashkinov
e369b1306b Added Hashtag entity and objects-hashtags association with auto-sync with data.tag on Object update. 2020-12-22 22:04:33 +03:00
rinpatch
6ca709816f Fix object spoofing vulnerability in attachments
Validate the content-type of the response when fetching an object,
according to https://www.w3.org/TR/activitypub/#x3-2-retrieving-objects.

content-type headers had to be added to many mocks in order to support
this, some of this was done with a regex. While I did go over the
resulting files to check I didn't modify anything unrelated, there is a
 possibility I missed something.

Closes pleroma#1948
2020-11-12 15:25:33 +03:00
Mark Felder
40f3cdc030 JPEG content_type must be image/jpeg 2020-10-13 10:37:24 -05:00
Alexander Strizhakov
7dffaef479
tests consistency 2020-10-13 16:35:09 +03:00
Renamed from test/object_test.exs (Browse further)