Commit graph

89 commits

Author SHA1 Message Date
Oneric 0ec62acb9d Always insert Dedupe upload filter
This actually was already intended before to eradict all future
path-traversal-style exploits and to fix issues with some
characters like akkoma#610 in 0b2ec0ccee. However, Dedupe and
AnonymizeFilename got mixed up. The latter only anonymises the name
in Content-Disposition headers GET parameters (with link_name),
_not_ the upload path.

Even without Dedupe, the upload path is prefixed by an UUID,
so it _should_ already be hard to guess for attackers. But now
we actually can be sure no path shenanigangs occur, uploads
reliably work and save some disk space.

While this makes the final path predictable, this prediction is
not exploitable. Insertion of a back-reference to the upload
itself requires pulling off a successfull preimage attack against
SHA-256, which is deemed infeasible for the foreseeable futures.

Dedupe was already included in the default list in config.exs
since 28cfb2c37a, but this will get overridde by whatever the
config generated by the "pleroma.instance gen" task chose.

Upload+delete tests running in parallel using Dedupe might be flaky, but
this was already true before and needs its own commit to fix eventually.
2024-03-18 22:33:10 -01:00
Oneric fef773ca35 Drop media base_url default and recommend different domain
Same-domain setups enabled now at least two exploits,
so they ought to be discouraged and definitely not be the default.
2024-03-18 22:33:10 -01:00
FloatingGhost 0b2ec0ccee Enable AnonymizeFilenames on all uploads 2023-08-04 15:37:15 +01:00
ilja 6c396fcab4 Remove "default" image description
When no image description is filled in, Pleroma allowed fallbacks.
Those were (based on a setting) either the filename, or a fixed description.
Neither are good options for image descriptions imo, so here we remove this.

Note that there's two tests removed who supposedly tested something else.
But examining closer, they didn't seem to test what they claimed to test,
so I removed them rather than try to "fix" them.
2023-03-12 08:42:33 +01:00
floatingghost 07a48b9293 giant massive dep upgrade and dialyxir-found error emporium (#371)
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/371
2022-12-14 12:38:48 +00:00
floatingghost 2641dcdd15 Post editing (#202)
Rebased from #103

Co-authored-by: Tusooa Zhu <tusooa@kazv.moe>
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/202
2022-09-06 19:24:02 +00:00
Alex Gleason f2134e605b
Merge remote-tracking branch 'pleroma/develop' into cycles-base-url 2021-05-31 16:49:46 -05:00
Alex Gleason 51a9f97e87
Deprecate Pleroma.Web.base_url/0
Use Pleroma.Web.Endpoint.url/0 directly instead. Reduces compiler cycles.
2021-05-31 16:48:03 -05:00
Alex Gleason 543e9402d6
Support blurhash 2021-05-14 09:07:16 -05:00
Alex Gleason ab9eabdf20
Add SetMeta filter to store uploaded image sizes 2021-05-12 15:07:31 -05:00
feld 2926713fe5 Merge branch 'deprecate-public_endpoint' into 'develop'
Deprecate Uploaders.S3, :public_endpoint

See merge request pleroma/pleroma!3251
2021-01-20 22:48:48 +00:00
Mark Felder f0ab60189e truncated_namespace should default to nil 2021-01-13 11:54:00 -06:00
Haelwenn (lanodan) Monnier c4439c630f
Bump Copyright to 2021
grep -rl '# Copyright © .* Pleroma' * | xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>;'
2021-01-13 07:49:50 +01:00
Mark Felder c35e6fb516 Provide a non-nil fallback for Upload.base_url/0 for tests using TestUploaderSuccess as the uploader 2021-01-12 16:34:24 -06:00
Mark Felder 12528edc34 Fix another ad-hoc construction of the upload base_url 2021-01-12 16:32:52 -06:00
feld fa63f1b55b Apply 4 suggestion(s) to 2 file(s) 2021-01-10 01:34:54 +00:00
Mark Felder e8bf060e6e Move construction of S3 base URL with optional namespace and bucket to Upload.base_url/0
Now we should have a correct base URL for S3 hosted objects throughout the codebase.
2021-01-08 17:32:42 -06:00
Mark Felder 530fb5b29e Avoid duplicate Config calls 2021-01-08 17:32:42 -06:00
Mark Felder ad79983614 Fix URL generated for backup files, try to create a source of truth we can reuse throughout the codebase 2021-01-08 17:32:42 -06:00
Mark Felder 55562ca936 Merge branch 'develop' into feature/gen-magic 2020-09-10 16:05:22 -05:00
lain aabc26a573 Pleroma.Upload: Set default upload name / description based on config. 2020-08-18 13:21:30 +02:00
lain af7720237b Upload: Restrict description length 2020-07-06 11:08:13 +02:00
href f124f68205 Switch from gen_magic to majic, use Majic.Plug, remove Pleroma.MIME 2020-06-16 15:27:27 +02:00
lain cc0d462e91 Attachments: Have the mediaType on the root, too. 2020-05-21 15:08:56 +02:00
Egor Kislitsyn 6802dc28ba
Add OpenAPI spec for PleromaAPI.AccountController 2020-05-13 19:06:46 +04:00
Mark Felder 05da5f5cca Update Copyrights 2020-03-03 16:44:49 -06:00
Alexander Strizhakov 32d1e04817
ActivityPub actions & side-effects in transaction 2020-03-01 12:01:39 +03:00
Haelwenn (lanodan) Monnier 3c6fd0bb99
upload.ex: Remove deprecated configuration 2019-10-18 12:34:09 +02:00
feld 84fca14c3c Do not prepend /media/ when using base_url
This ensures admin has full control over the path where media resides.
2019-07-24 15:35:25 +00:00
Haelwenn (lanodan) Monnier 69a5074893
Remove H1 in @moduledoc 2019-05-06 04:53:12 +02:00
rinpatch e2fe796c63 Add some tests 2019-03-14 22:02:48 +03:00
rinpatch 5a73cae2be WIP: Stop mangling filenames 2019-03-12 09:10:19 +03:00
rinpatch 4263edc9c9 Properly escape reserved URI charachters in upload urls 2019-03-05 18:09:23 +03:00
Haelwenn (lanodan) Monnier 106f4e7a0f
Credo fixes: parameter consistency 2019-02-09 14:59:20 +01:00
Mark Felder 0c08bd4181 Update Mogrify docs and warning for deprecated syntax to encourage
users to enable both strip and auto-orient
2019-02-03 16:39:42 +00:00
lambda 646bb87816 Merge branch 'fix/elixir-1-8-type-annotation' into 'develop'
Fix Elixir 1.8 type annotation issue

Closes #523

See merge request pleroma/pleroma!668
2019-01-15 08:51:59 +00:00
Haelwenn (lanodan) Monnier 9fcdca1bdc
Upload: Fix uploading with a : in the filename 2019-01-15 07:57:48 +01:00
Haelwenn (lanodan) Monnier e3eb75bd23
Upload: Fix uploading with a ? in the filename 2019-01-15 07:40:39 +01:00
Maxim Filippov e8eff9fe03 Fix Elixir 1.8 type annotation issue 2019-01-15 02:58:48 +02:00
Shadowfacts 42b7584068
URI escape file upload URLs 2019-01-14 11:31:44 -05:00
William Pitcock 980b5288ed update copyright years to 2019 2018-12-31 15:41:47 +00:00
William Pitcock 2791ce9a1f add license boilerplate to pleroma core 2018-12-23 20:56:42 +00:00
Maksim Pechnikov e94c3442f4 updates 2018-12-10 13:27:37 +03:00
Maksim Pechnikov 074fa790ba fix compile warnings 2018-12-09 20:50:08 +03:00
href 65e7307d68
Upload: bring back base_url 2018-11-30 18:02:50 +01:00
href 5d92431350
Fix deprecation warnings 2018-11-30 18:02:50 +01:00
href 02d3dc6869
Uploads fun, part. 2 2018-11-30 18:02:37 +01:00
href b19597f602
reverse proxy / uploads 2018-11-30 18:00:47 +01:00
rinpatch 0d229613df Fix lint error 2018-11-27 19:07:58 +03:00
rinpatch 7f20a3cf1f Add Theora detection to upload.ex 2018-11-27 17:51:02 +03:00