Screenshot showing a followed user using the ActivityPub WordPress plugin.
https://bunnyt1c.s3.us-east-005.backblazeb2.com/calckeysoc/ba92cd22-7029-459b-8d3a-46c6d3231746.png
https://bunnyt1c.s3.us-east-005.backblazeb2.com/calckeysoc/ba92cd22-7029-459b-8d3a-46c6d3231746.png
Notices where this attachment appears
-
Embed this notice
Simon John Green (simonjohngreen@calckey.social)'s status on Tuesday, 09-May-2023 22:16:13 JST 
Simon John Green
@pfefferle@mastodon.social
Just to follow up on this.
Using this:
https://blog.rac.me.uk/tag/owasp3/
I updated '/etc/modsecurity/crs-setup.conf'
Searched for rule '900220'
And added (rather than uncomment the existing rule):
SecAction \
"id:900220,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/activity+json|'"
Confirmed that ModSecurity was still enable:
/etc/modsecurity/modsecurity.conf
# SecRuleEngine DetectionOnly
SecRuleEngine On
Restarted Apache.
And now I can follow / unfollow the author at will.
Thank you for pointing me to this.
Cheers!
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.