Commit graph

15 commits

Author SHA1 Message Date
Oneric
0c2b33458d Restrict media usage to owners
In Mastodon media can only be used by owners and only be associated with
a single post. We currently allow media to be associated with several
posts and until now did not limit their usage in posts to media owners.
However, media update and GET lookup was already limited to owners.
(In accordance with allowing media reuse, we also still allow GET
lookups of media already used in a post unlike Mastodon)

Allowing reuse isn’t problematic per se, but allowing use by non-owners
can be problematic if media ids of private-scoped posts can be guessed
since creating a new post with this media id will reveal the uploaded
file content and alt text.
Given media ids are currently just part of a sequentieal series shared
with some other objects, guessing media ids is with some persistence
indeed feasible.

E.g. sampline some public media ids from a real-world
instance with 112 total and 61 monthly-active users:

  17.465.096  at  t0
  17.472.673  at  t1 = t0 + 4h
  17.473.248  at  t2 = t1 + 20min

This gives about 30 new ids per minute of which most won't be
local media but remote and local posts, poll answers etc.
Assuming the default ratelimit of 15 post actions per 10s, scraping all
media for the 4h interval takes about 84 minutes and scraping the 20min
range mere 6.3 minutes. (Until the preceding commit, post updates were
not rate limited at all, allowing even faster scraping.)
If an attacker can infer (e.g. via reply to a follower-only post not
accessbile to the attacker) some sensitive information was uploaded
during a specific time interval and has some pointers regarding the
nature of the information, identifying the specific upload out of all
scraped media for this timerange is not impossible.

Thus restrict media usage to owners.

Checking ownership just in ActivitDraft would already be sufficient,
since when a scheduled status actually gets posted it goes through
ActivityDraft again, but would erroneously return a success status
when scheduling an illegal post.

Independently discovered and fixed by mint in Pleroma
1afde067b1
2024-05-22 20:30:18 +02:00
Oneric
34a48cb87f scheduled_activity: mark private functions as private
And remove unused due_activities/1
2024-05-22 20:18:08 +02:00
Haelwenn (lanodan) Monnier
c4439c630f
Bump Copyright to 2021
grep -rl '# Copyright © .* Pleroma' * | xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>;'
2021-01-13 07:49:50 +01:00
Egor Kislitsyn
7803a85d2c
Add OpenAPI spec for StatusController 2020-05-13 00:25:21 +04:00
Haelwenn (lanodan) Monnier
6da6540036
Bump copyright years of files changed after 2020-01-07
Done via the following command:
git diff fcd5dd259a --stat --name-only | xargs sed -i '/Pleroma Authors/c# Copyright © 2017-2020 Pleroma Authors <https:\/\/pleroma.social\/>'
2020-03-02 06:08:45 +01:00
Maksim Pechnikov
8589632d09 fixed delete ScheduledActivity 2020-01-23 17:18:23 +03:00
Maksim Pechnikov
ce7c887a27 removed try/rescue 2020-01-23 11:05:08 +03:00
Maksim Pechnikov
3c3bba0b7c fix ScheduledActivity 2019-12-04 21:18:05 +03:00
Maksim Pechnikov
3a0a400fe1 add @type to ScheduledActivity 2019-12-04 09:53:01 +03:00
Maksim Pechnikov
652cc6ba4b updated ScheduledActivity 2019-12-04 09:12:17 +03:00
Egor Kislitsyn
b5dfe83433 Replace Pleroma.FlakeId with flake_id hex package 2019-09-25 17:14:31 +07:00
eugenijm
2056efa714 Add scheduler for sending scheduled activities to the queue 2019-04-06 23:56:29 +03:00
eugenijm
fc92a0fd8d Added limits and media attachments for scheduled activities. 2019-04-06 23:55:58 +03:00
eugenijm
b3870df51f Handle scheduled_at on status creation. 2019-04-06 23:55:58 +03:00
eugenijm
7bf622ce73 Add scheduled activities 2019-04-06 23:55:58 +03:00