Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 02:44:16 JST Alex Gleason
Pleroma / Akkoma / Rebased need to be patched, but here’s how you can secure your site without any code changes:
yoursite.com/media -> media.yoursite.com yoursite.com/proxy -> proxy.yoursite.com
To do this, add the following configuration to your site:
config :pleroma, Pleroma.Upload, base_url: "https://media.yoursite.com" config :pleroma, :media_proxy, base_url: "https://proxy.yoursite.com"
You will need to add DNS records for the subdomains. For media, it’s recommended to use an S3 bucket (or equivalent). For the proxy, you can simply point the DNS to the same server, and edit your Nginx file. A sample Nginx file is here: https://termbin.com/tj7q You’re on your own setting up letsencrypt, etc.
Here’s what does NOT work:
- A CSP one-liner in Nginx. That’s not how CSP works. CSP affects the page it was loaded on, not other resources. This is straight up misinformation.
- Disabling the media proxy on its own. The media proxy does appear to be vulnerable, but it cannot be the only action you take.
In conversation Saturday, 27-May-2023 02:44:16 JST from gleasonator.com permalink
Attachments
1. Untitled attachment
2. Untitled attachment
3. Untitled attachment
4. Untitled attachment
5. Untitled attachment
  
  Invalid filename.
- ぐぬ管 (GNU social JP管理人) likes this.
- ぐぬ管 (GNU social JP管理人) repeated this.
- Embed this notice
  Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 02:51:04 JST Alex Gleason
  in reply to
  - nekobit
  @nekofag Not for the media proxy. It takes the upstream content-type header. I think there are workarounds for local media to get a harmful content-type even if the file extension doesn't match.
  
  In conversation Saturday, 27-May-2023 02:51:04 JST permalink
- Embed this notice
  nekobit (nekofag@rdrama.cc)'s status on Saturday, 27-May-2023 02:51:05 JST nekobit
  in reply to
  
  @alex does the .js trick work
  
  In conversation Saturday, 27-May-2023 02:51:05 JST permalink
- Embed this notice
  Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 02:59:29 JST Alex Gleason
  in reply to
  - Leaf Lord
  @Leaflord I think so, but they're so small I can't see them.
  
  In conversation Saturday, 27-May-2023 02:59:29 JST permalink
- Embed this notice
  Leaf Lord (leaflord@leafposter.club)'s status on Saturday, 27-May-2023 02:59:30 JST Leaf Lord
  in reply to
  
  Alex, give it to me straight, has my extensive collection of illicit unwarranted cock pics been leaked?
  
  In conversation Saturday, 27-May-2023 02:59:30 JST permalink
- Embed this notice
  Fediverse Contractor (bot@seal.cafe)'s status on Saturday, 27-May-2023 02:59:45 JST Fediverse Contractor
  in reply to
  
  Are you sure this the final solution Alex? I see ppl saying a lot of different stuff.
  
  In conversation Saturday, 27-May-2023 02:59:45 JST permalink
- Embed this notice
  Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 03:14:10 JST Alex Gleason
  in reply to
  
  It's kind of amazing to see people rushing to fix the wrong thing.
  In conversation Saturday, 27-May-2023 03:14:10 JST permalink
  Attachments
  1. Untitled attachment
    https://media.gleasonator.com/fd9dfc4166017ea755c42f9c7e285699e4c04eadb9c3c1f1185b104be5d3dbf6.png
  2. Untitled attachment
    https://media.gleasonator.com/38e27cde25c0b49f2b8cc0c0861030e9300d9bb52ba5149a7a16b526626a5425.png
- Embed this notice
  Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 03:23:37 JST Alex Gleason
  in reply to
  - lainy
  - NEETzsche
  @NEETzsche No I want @lain to do it.
  
  In conversation Saturday, 27-May-2023 03:23:37 JST permalink
- Embed this notice
  NEETzsche (neetzsche@iddqd.social)'s status on Saturday, 27-May-2023 03:23:38 JST NEETzsche
  in reply to
  
  @alex stop arguing with retards online and write the patch
  
  In conversation Saturday, 27-May-2023 03:23:38 JST permalink
- Embed this notice
  lainy (lain@lain.com)'s status on Saturday, 27-May-2023 03:29:22 JST lainy
  in reply to
  - NEETzsche
  @NEETzsche @alex the advice was still correct, i just found a separate exploit that wasn't used, apparently. The one I found is fixed by the CSP setting, the more general one that we found in our oembed parser/pleroma-fe is being fixed by a new release we're preparing, but moving the media and proxy to their own domains like alex recommended will also fix both issues.
  
  In conversation Saturday, 27-May-2023 03:29:22 JST permalink
  
  Fediverse Contractor likes this.
- Embed this notice
  NEETzsche (neetzsche@iddqd.social)'s status on Saturday, 27-May-2023 03:29:23 JST NEETzsche
  in reply to
  - lainy
  @alex @lain fucking why, as punishment for giving incorrect nginx advice?
  
  In conversation Saturday, 27-May-2023 03:29:23 JST permalink
  
  Fediverse Contractor likes this.
- Embed this notice
  Fediverse Contractor (bot@seal.cafe)'s status on Saturday, 27-May-2023 03:32:18 JST Fediverse Contractor
  in reply to
  - lainy
  - NEETzsche
  Is one fix better than the other?
  
  In conversation Saturday, 27-May-2023 03:32:18 JST permalink
- Embed this notice
  twizzay (twizzay@thisis.mylegendary.quest)'s status on Saturday, 27-May-2023 03:42:49 JST twizzay
  in reply to
  - :sprout: evil mental tofu haver
  - Lapineige
  @alex
  
  As I understand it, those of us already on a subdomain don't need to worry about this since the vulnerability only affects instances on the root domain correct?
  
  CC: @FloatingGhost @Lapineige
  
  In conversation Saturday, 27-May-2023 03:42:49 JST permalink
- Embed this notice
  Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 03:42:49 JST Alex Gleason
  in reply to
  @twizzay @FloatingGhost @Lapineige Incorrect. The media and proxy URLs need to be on a different domain than the main server.
  
  In conversation Saturday, 27-May-2023 03:42:49 JST permalink
- Embed this notice
  sapphire (sapphire@needs.vodka)'s status on Saturday, 27-May-2023 04:47:41 JST sapphire
  in reply to
  - lainy
  - NEETzsche
  @lain @alex @NEETzsche curious why poast was hit if graf already had his images separated
  
  In conversation Saturday, 27-May-2023 04:47:41 JST permalink
- Embed this notice
  lainy (lain@lain.com)'s status on Saturday, 27-May-2023 04:47:41 JST lainy
  in reply to
  - NEETzsche
  - sapphire
  @sapphire @alex @NEETzsche probably through the proxy, then, if that was still on the same domain
  
  In conversation Saturday, 27-May-2023 04:47:41 JST permalink
- Embed this notice
  ?? Humpleupagus ?? (humpleupagus@eveningzoo.club)'s status on Saturday, 27-May-2023 05:22:42 JST ?? Humpleupagus ??
  in reply to
  
  Would blocking nostr federation work? And if so, how could that be done?
  
  In conversation Saturday, 27-May-2023 05:22:42 JST permalink
- Embed this notice
  penguin (penguin@eveningzoo.club)'s status on Saturday, 27-May-2023 05:23:12 JST penguin
  in reply to
  - ?? Humpleupagus ??
  yesssss
  
  😃🍿
  
  In conversation Saturday, 27-May-2023 05:23:12 JST permalink
- Embed this notice
  AlabasterBrick ?‍☠️ (alabasterbrick@nicecrew.digital)'s status on Saturday, 27-May-2023 05:26:27 JST AlabasterBrick ?‍☠️
  in reply to
  - ?? Humpleupagus ??
  - Hunter S. Bloomfer
  Get yer pfp fixed bro
  
  In conversation Saturday, 27-May-2023 05:26:27 JST permalink
- Embed this notice
  Hunter S. Bloomfer (bloomfer@coolsite.win)'s status on Saturday, 27-May-2023 05:26:28 JST Hunter S. Bloomfer
  in reply to
  - ?? Humpleupagus ??
  By pissing in bots breakfast cereals, for bringing it up in the first place.
  
  In conversation Saturday, 27-May-2023 05:26:28 JST permalink
- Embed this notice
  AlabasterBrick ?‍☠️ (alabasterbrick@nicecrew.digital)'s status on Saturday, 27-May-2023 05:27:16 JST AlabasterBrick ?‍☠️
  in reply to
  - ?? Humpleupagus ??
  - Hunter S. Bloomfer
  Noone else but you can see it. 😄
  
  In conversation Saturday, 27-May-2023 05:27:16 JST permalink
- Embed this notice
  Hunter S. Bloomfer (bloomfer@coolsite.win)'s status on Saturday, 27-May-2023 05:27:17 JST Hunter S. Bloomfer
  in reply to
  - ?? Humpleupagus ??
  - AlabasterBrick ?‍☠️
  Works for me
  
  In conversation Saturday, 27-May-2023 05:27:17 JST permalink
- Embed this notice
  ?? Humpleupagus ?? (humpleupagus@eveningzoo.club)'s status on Saturday, 27-May-2023 05:27:29 JST ?? Humpleupagus ??
  in reply to
  - Hunter S. Bloomfer
  I thought the token was sent as a nostr public key over the mostr relay, so I'm thinking that blocking the relay should prevent that.
  
  In conversation Saturday, 27-May-2023 05:27:29 JST permalink
- Embed this notice
  Hunter S. Bloomfer (bloomfer@coolsite.win)'s status on Saturday, 27-May-2023 05:27:48 JST Hunter S. Bloomfer
  in reply to
  - ?? Humpleupagus ??
  Jokes aside, i don't think it would. Nostr was just used because why not. The user names looks stupid enough that just a glance over any server logs wouldn't cause suspicion
  
  In conversation Saturday, 27-May-2023 05:27:48 JST permalink
  
  ?? Humpleupagus ?? likes this.
- Embed this notice
  ?? Humpleupagus ?? (humpleupagus@eveningzoo.club)'s status on Saturday, 27-May-2023 05:29:17 JST ?? Humpleupagus ??
  in reply to
  - Hunter S. Bloomfer
  So it's more like camouflage than a required means of delivery. 🤔
  
  In conversation Saturday, 27-May-2023 05:29:17 JST permalink
  
  Alex Gleason likes this.
- Embed this notice
  Hunter S. Bloomfer (bloomfer@coolsite.win)'s status on Saturday, 27-May-2023 05:29:58 JST Hunter S. Bloomfer
  in reply to
  - ?? Humpleupagus ??
  Yep, it was a pretty sneaky way of doing so
  
  In conversation Saturday, 27-May-2023 05:29:58 JST permalink
  
  ?? Humpleupagus ?? likes this.
- Embed this notice
  Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 05:30:05 JST Alex Gleason
  in reply to
  - ?? Humpleupagus ??
  @Humpleupagus Lol no.
  
  In conversation Saturday, 27-May-2023 05:30:05 JST permalink
- Embed this notice
  AlabasterBrick ?‍☠️ (alabasterbrick@nicecrew.digital)'s status on Saturday, 27-May-2023 05:32:35 JST AlabasterBrick ?‍☠️
  in reply to
  - ?? Humpleupagus ??
  - Hunter S. Bloomfer
  You clever dick
  
  In conversation Saturday, 27-May-2023 05:32:35 JST permalink
- Embed this notice
  Hunter S. Bloomfer (bloomfer@coolsite.win)'s status on Saturday, 27-May-2023 05:32:36 JST Hunter S. Bloomfer
  in reply to
  - ?? Humpleupagus ??
  - AlabasterBrick ?‍☠️
  What if you are looking at my new PFP?
  
  In conversation Saturday, 27-May-2023 05:32:36 JST permalink
- Embed this notice
  ?? Humpleupagus ?? (humpleupagus@eveningzoo.club)'s status on Saturday, 27-May-2023 05:38:16 JST ?? Humpleupagus ??
  in reply to
  
  What if I just delete the Zoo? Will it be secure then? 🤔
  
  In conversation Saturday, 27-May-2023 05:38:16 JST permalink
  
  Alex Gleason likes this.
- Embed this notice
  AlabasterBrick ?‍☠️ (alabasterbrick@nicecrew.digital)'s status on Saturday, 27-May-2023 05:40:04 JST AlabasterBrick ?‍☠️
  in reply to
  - ?? Humpleupagus ??
  - Hunter S. Bloomfer
  *polack nigga
  
  In conversation Saturday, 27-May-2023 05:40:04 JST permalink
- Embed this notice
  Hunter S. Bloomfer (bloomfer@coolsite.win)'s status on Saturday, 27-May-2023 05:40:05 JST Hunter S. Bloomfer
  in reply to
  - ?? Humpleupagus ??
  - AlabasterBrick ?‍☠️
  I'm just a silly nigger
  
  In conversation Saturday, 27-May-2023 05:40:05 JST permalink
- Embed this notice
  Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 05:47:02 JST Alex Gleason
  in reply to
  - lainy
  - NEETzsche
  - sapphire
  @lain @sapphire @NEETzsche It's because /media was still exposed in addition to the subdomain.
  
  In conversation Saturday, 27-May-2023 05:47:02 JST permalink
- Embed this notice
  Sheriff CJ (The Impostor)?? (colonelj@freespeechextremist.com)'s status on Saturday, 27-May-2023 10:13:33 JST Sheriff CJ (The Impostor)??
  in reply to
  
  @alex I have people saying you guys fixed the wrong thing and are lying to your users hit I'm not a tech guy so it all sounds like mumbo jumbo to me 🤷
  
  In conversation Saturday, 27-May-2023 10:13:33 JST permalink
  
  Fediverse Contractor likes this.

Feeds