Merge branch 'mergeback/2.4.5' into 'develop'
Mergeback: 2.4.5 See merge request pleroma/pleroma!3794
This commit is contained in:
commit
36789986c0
5 changed files with 45 additions and 3 deletions
14
CHANGELOG.md
14
CHANGELOG.md
|
@ -63,6 +63,20 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
### Removed
|
||||
- Quack, the logging backend that pushes to Slack channels
|
||||
|
||||
## 2.4.5 - 2022-08-xx
|
||||
|
||||
## Fixed
|
||||
- Image `class` attributes not being scrubbed, allowing to exploit frontend special classes [!3792](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3792)
|
||||
- Delete report notifs when demoting from superuser [!3642](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3642)
|
||||
- Validate `mediaType` only by it's format rather than using a list [!3597](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3597)
|
||||
- Pagination: Make mutes and blocks lists behave the same as other lists [!3693](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3693)
|
||||
- Compatibility with Elixir 1.14 [!3740](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3740)
|
||||
- Frontend installer: FediFE build URL [!3736](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3736)
|
||||
- Streaming: Don't stream ChatMessage into the home timeline [!3738](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3738)
|
||||
- Streaming: Stream local-only posts in the local timeline [!3738](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3738)
|
||||
- Signatures: Fix `keyId` lookup for GoToSocial [!3725](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3725)
|
||||
- Validator: Fix `replies` handling for GoToSocial [!3725](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3725)
|
||||
|
||||
## 2.4.4 - 2022-08-19
|
||||
|
||||
### Security
|
||||
|
|
2
mix.exs
2
mix.exs
|
@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
|
|||
def project do
|
||||
[
|
||||
app: :pleroma,
|
||||
version: version("2.4.53"),
|
||||
version: version("2.4.55"),
|
||||
elixir: "~> 1.10",
|
||||
elixirc_paths: elixirc_paths(Mix.env()),
|
||||
compilers: [:phoenix, :gettext] ++ Mix.compilers(),
|
||||
|
|
|
@ -68,13 +68,14 @@ defmodule Pleroma.HTML.Scrubber.Default do
|
|||
@allow_inline_images Pleroma.Config.get([:markup, :allow_inline_images])
|
||||
|
||||
if @allow_inline_images do
|
||||
Meta.allow_tag_with_this_attribute_values(:img, "class", ["emoji"])
|
||||
|
||||
# restrict img tags to http/https only, because of MediaProxy.
|
||||
Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"])
|
||||
|
||||
Meta.allow_tag_with_these_attributes(:img, [
|
||||
"width",
|
||||
"height",
|
||||
"class",
|
||||
"title",
|
||||
"alt"
|
||||
])
|
||||
|
|
|
@ -45,13 +45,14 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
|
|||
|
||||
# allow inline images for custom emoji
|
||||
if Pleroma.Config.get([:markup, :allow_inline_images]) do
|
||||
Meta.allow_tag_with_this_attribute_values(:img, "class", ["emoji"])
|
||||
|
||||
# restrict img tags to http/https only, because of MediaProxy.
|
||||
Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"])
|
||||
|
||||
Meta.allow_tag_with_these_attributes(:img, [
|
||||
"width",
|
||||
"height",
|
||||
"class",
|
||||
"title",
|
||||
"alt"
|
||||
])
|
||||
|
|
|
@ -17,6 +17,7 @@ defmodule Pleroma.HTMLTest do
|
|||
this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
|
||||
this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
|
||||
this is an image: <img src="http://example.com/image.jpg"><br />
|
||||
this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"><br />
|
||||
<script>alert('hacked')</script>
|
||||
"""
|
||||
|
||||
|
@ -24,6 +25,10 @@ defmodule Pleroma.HTMLTest do
|
|||
<img src="http://example.com/image.jpg" onerror="alert('hacked')">
|
||||
"""
|
||||
|
||||
@html_stillimage_sample """
|
||||
<img class="still-image" src="http://example.com/image.jpg">
|
||||
"""
|
||||
|
||||
@html_span_class_sample """
|
||||
<span class="animate-spin">hi</span>
|
||||
"""
|
||||
|
@ -45,6 +50,7 @@ test "works as expected" do
|
|||
this is a link with allowed "rel" attribute: example.com
|
||||
this is a link with not allowed "rel" attribute: example.com
|
||||
this is an image:
|
||||
this is an inline emoji:
|
||||
alert('hacked')
|
||||
"""
|
||||
|
||||
|
@ -67,6 +73,7 @@ test "normalizes HTML as expected" do
|
|||
this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
|
||||
this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
|
||||
this is an image: <img src="http://example.com/image.jpg"/><br/>
|
||||
this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"/><br/>
|
||||
alert('hacked')
|
||||
"""
|
||||
|
||||
|
@ -90,6 +97,15 @@ test "does not allow spans with invalid classes" do
|
|||
HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
|
||||
end
|
||||
|
||||
test "does not allow images with invalid classes" do
|
||||
expected = """
|
||||
<img src="http://example.com/image.jpg"/>
|
||||
"""
|
||||
|
||||
assert expected ==
|
||||
HTML.filter_tags(@html_stillimage_sample, Pleroma.HTML.Scrubber.TwitterText)
|
||||
end
|
||||
|
||||
test "does allow microformats" do
|
||||
expected = """
|
||||
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
|
||||
|
@ -121,6 +137,7 @@ test "normalizes HTML as expected" do
|
|||
this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
|
||||
this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
|
||||
this is an image: <img src="http://example.com/image.jpg"/><br/>
|
||||
this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"/><br/>
|
||||
alert('hacked')
|
||||
"""
|
||||
|
||||
|
@ -143,6 +160,15 @@ test "does not allow spans with invalid classes" do
|
|||
assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
|
||||
end
|
||||
|
||||
test "does not allow images with invalid classes" do
|
||||
expected = """
|
||||
<img src="http://example.com/image.jpg"/>
|
||||
"""
|
||||
|
||||
assert expected ==
|
||||
HTML.filter_tags(@html_stillimage_sample, Pleroma.HTML.Scrubber.TwitterText)
|
||||
end
|
||||
|
||||
test "does allow microformats" do
|
||||
expected = """
|
||||
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
|
||||
|
|
Loading…
Reference in a new issue