GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 02:44:16 JST Alex Gleason Alex Gleason

    Pleroma / Akkoma / Rebased need to be patched, but here’s how you can secure your site without any code changes:

    yoursite.com/media -> media.yoursite.com yoursite.com/proxy -> proxy.yoursite.com

    To do this, add the following configuration to your site:

    config :pleroma, Pleroma.Upload, base_url: "https://media.yoursite.com" config :pleroma, :media_proxy, base_url: "https://proxy.yoursite.com"

    You will need to add DNS records for the subdomains. For media, it’s recommended to use an S3 bucket (or equivalent). For the proxy, you can simply point the DNS to the same server, and edit your Nginx file. A sample Nginx file is here: https://termbin.com/tj7q You’re on your own setting up letsencrypt, etc.

    Here’s what does NOT work:

    • A CSP one-liner in Nginx. That’s not how CSP works. CSP affects the page it was loaded on, not other resources. This is straight up misinformation.

    • Disabling the media proxy on its own. The media proxy does appear to be vulnerable, but it cannot be the only action you take.

    In conversation Saturday, 27-May-2023 02:44:16 JST from gleasonator.com permalink

    Attachments






    1. Invalid filename.
    • ぐぬ管 (GNU social JP管理人) likes this.
    • ぐぬ管 (GNU social JP管理人) repeated this.
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 02:51:04 JST Alex Gleason Alex Gleason
      in reply to
      • nekobit
      @nekofag Not for the media proxy. It takes the upstream content-type header. I think there are workarounds for local media to get a harmful content-type even if the file extension doesn't match.
      In conversation Saturday, 27-May-2023 02:51:04 JST permalink
    • Embed this notice
      nekobit (nekofag@rdrama.cc)'s status on Saturday, 27-May-2023 02:51:05 JST nekobit nekobit
      in reply to
      @alex does the .js trick work
      In conversation Saturday, 27-May-2023 02:51:05 JST permalink
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 02:59:29 JST Alex Gleason Alex Gleason
      in reply to
      • Leaf Lord
      @Leaflord I think so, but they're so small I can't see them.
      In conversation Saturday, 27-May-2023 02:59:29 JST permalink
    • Embed this notice
      Leaf Lord (leaflord@leafposter.club)'s status on Saturday, 27-May-2023 02:59:30 JST Leaf Lord Leaf Lord
      in reply to
      Alex, give it to me straight, has my extensive collection of illicit unwarranted cock pics been leaked?
      In conversation Saturday, 27-May-2023 02:59:30 JST permalink
    • Embed this notice
      Fediverse Contractor (bot@seal.cafe)'s status on Saturday, 27-May-2023 02:59:45 JST Fediverse Contractor Fediverse Contractor
      in reply to
      Are you sure this the final solution Alex? I see ppl saying a lot of different stuff.
      In conversation Saturday, 27-May-2023 02:59:45 JST permalink
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 03:14:10 JST Alex Gleason Alex Gleason
      in reply to
      It's kind of amazing to see people rushing to fix the wrong thing.
      In conversation Saturday, 27-May-2023 03:14:10 JST permalink

      Attachments


      1. https://media.gleasonator.com/fd9dfc4166017ea755c42f9c7e285699e4c04eadb9c3c1f1185b104be5d3dbf6.png

      2. https://media.gleasonator.com/38e27cde25c0b49f2b8cc0c0861030e9300d9bb52ba5149a7a16b526626a5425.png
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 03:23:37 JST Alex Gleason Alex Gleason
      in reply to
      • lainy
      • NEETzsche
      @NEETzsche No I want @lain to do it.
      In conversation Saturday, 27-May-2023 03:23:37 JST permalink
    • Embed this notice
      NEETzsche (neetzsche@iddqd.social)'s status on Saturday, 27-May-2023 03:23:38 JST NEETzsche NEETzsche
      in reply to
      @alex stop arguing with retards online and write the patch
      In conversation Saturday, 27-May-2023 03:23:38 JST permalink
    • Embed this notice
      lainy (lain@lain.com)'s status on Saturday, 27-May-2023 03:29:22 JST lainy lainy
      in reply to
      • NEETzsche
      @NEETzsche @alex the advice was still correct, i just found a separate exploit that wasn't used, apparently. The one I found is fixed by the CSP setting, the more general one that we found in our oembed parser/pleroma-fe is being fixed by a new release we're preparing, but moving the media and proxy to their own domains like alex recommended will also fix both issues.
      In conversation Saturday, 27-May-2023 03:29:22 JST permalink
      Fediverse Contractor likes this.
    • Embed this notice
      NEETzsche (neetzsche@iddqd.social)'s status on Saturday, 27-May-2023 03:29:23 JST NEETzsche NEETzsche
      in reply to
      • lainy
      @alex @lain fucking why, as punishment for giving incorrect nginx advice?
      In conversation Saturday, 27-May-2023 03:29:23 JST permalink
      Fediverse Contractor likes this.
    • Embed this notice
      Fediverse Contractor (bot@seal.cafe)'s status on Saturday, 27-May-2023 03:32:18 JST Fediverse Contractor Fediverse Contractor
      in reply to
      • lainy
      • NEETzsche
      Is one fix better than the other?
      In conversation Saturday, 27-May-2023 03:32:18 JST permalink
    • Embed this notice
      twizzay (twizzay@thisis.mylegendary.quest)'s status on Saturday, 27-May-2023 03:42:49 JST twizzay twizzay
      in reply to
      • :sprout: evil mental tofu haver
      • Lapineige
      @alex

      As I understand it, those of us already on a subdomain don't need to worry about this since the vulnerability only affects instances on the root domain correct?

      CC: @FloatingGhost @Lapineige
      In conversation Saturday, 27-May-2023 03:42:49 JST permalink
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 03:42:49 JST Alex Gleason Alex Gleason
      in reply to
      • :sprout: evil mental tofu haver
      • twizzay
      • Lapineige

      @twizzay @FloatingGhost @Lapineige Incorrect. The media and proxy URLs need to be on a different domain than the main server.

      In conversation Saturday, 27-May-2023 03:42:49 JST permalink
    • Embed this notice
      sapphire (sapphire@needs.vodka)'s status on Saturday, 27-May-2023 04:47:41 JST sapphire sapphire
      in reply to
      • lainy
      • NEETzsche
      @lain @alex @NEETzsche curious why poast was hit if graf already had his images separated
      In conversation Saturday, 27-May-2023 04:47:41 JST permalink
    • Embed this notice
      lainy (lain@lain.com)'s status on Saturday, 27-May-2023 04:47:41 JST lainy lainy
      in reply to
      • NEETzsche
      • sapphire
      @sapphire @alex @NEETzsche probably through the proxy, then, if that was still on the same domain
      In conversation Saturday, 27-May-2023 04:47:41 JST permalink
    • Embed this notice
      ?? Humpleupagus ?? (humpleupagus@eveningzoo.club)'s status on Saturday, 27-May-2023 05:22:42 JST ?? Humpleupagus ?? ?? Humpleupagus ??
      in reply to
      Would blocking nostr federation work? And if so, how could that be done?
      In conversation Saturday, 27-May-2023 05:22:42 JST permalink
    • Embed this notice
      penguin (penguin@eveningzoo.club)'s status on Saturday, 27-May-2023 05:23:12 JST penguin penguin
      in reply to
      • ?? Humpleupagus ??
      yesssss

      😃🍿
      In conversation Saturday, 27-May-2023 05:23:12 JST permalink
    • Embed this notice
      AlabasterBrick ?‍☠️ (alabasterbrick@nicecrew.digital)'s status on Saturday, 27-May-2023 05:26:27 JST AlabasterBrick ?‍☠️ AlabasterBrick ?‍☠️
      in reply to
      • ?? Humpleupagus ??
      • Hunter S. Bloomfer
      Get yer pfp fixed bro
      In conversation Saturday, 27-May-2023 05:26:27 JST permalink
    • Embed this notice
      Hunter S. Bloomfer (bloomfer@coolsite.win)'s status on Saturday, 27-May-2023 05:26:28 JST Hunter S. Bloomfer Hunter S. Bloomfer
      in reply to
      • ?? Humpleupagus ??
      By pissing in bots breakfast cereals, for bringing it up in the first place.
      In conversation Saturday, 27-May-2023 05:26:28 JST permalink
    • Embed this notice
      AlabasterBrick ?‍☠️ (alabasterbrick@nicecrew.digital)'s status on Saturday, 27-May-2023 05:27:16 JST AlabasterBrick ?‍☠️ AlabasterBrick ?‍☠️
      in reply to
      • ?? Humpleupagus ??
      • Hunter S. Bloomfer
      Noone else but you can see it. 😄
      In conversation Saturday, 27-May-2023 05:27:16 JST permalink
    • Embed this notice
      Hunter S. Bloomfer (bloomfer@coolsite.win)'s status on Saturday, 27-May-2023 05:27:17 JST Hunter S. Bloomfer Hunter S. Bloomfer
      in reply to
      • ?? Humpleupagus ??
      • AlabasterBrick ?‍☠️
      Works for me
      In conversation Saturday, 27-May-2023 05:27:17 JST permalink
    • Embed this notice
      ?? Humpleupagus ?? (humpleupagus@eveningzoo.club)'s status on Saturday, 27-May-2023 05:27:29 JST ?? Humpleupagus ?? ?? Humpleupagus ??
      in reply to
      • Hunter S. Bloomfer
      I thought the token was sent as a nostr public key over the mostr relay, so I'm thinking that blocking the relay should prevent that.
      In conversation Saturday, 27-May-2023 05:27:29 JST permalink
    • Embed this notice
      Hunter S. Bloomfer (bloomfer@coolsite.win)'s status on Saturday, 27-May-2023 05:27:48 JST Hunter S. Bloomfer Hunter S. Bloomfer
      in reply to
      • ?? Humpleupagus ??
      Jokes aside, i don't think it would. Nostr was just used because why not. The user names looks stupid enough that just a glance over any server logs wouldn't cause suspicion
      In conversation Saturday, 27-May-2023 05:27:48 JST permalink
      ?? Humpleupagus ?? likes this.
    • Embed this notice
      ?? Humpleupagus ?? (humpleupagus@eveningzoo.club)'s status on Saturday, 27-May-2023 05:29:17 JST ?? Humpleupagus ?? ?? Humpleupagus ??
      in reply to
      • Hunter S. Bloomfer
      So it's more like camouflage than a required means of delivery. 🤔
      In conversation Saturday, 27-May-2023 05:29:17 JST permalink
      Alex Gleason likes this.
    • Embed this notice
      Hunter S. Bloomfer (bloomfer@coolsite.win)'s status on Saturday, 27-May-2023 05:29:58 JST Hunter S. Bloomfer Hunter S. Bloomfer
      in reply to
      • ?? Humpleupagus ??
      Yep, it was a pretty sneaky way of doing so
      In conversation Saturday, 27-May-2023 05:29:58 JST permalink
      ?? Humpleupagus ?? likes this.
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 05:30:05 JST Alex Gleason Alex Gleason
      in reply to
      • ?? Humpleupagus ??
      @Humpleupagus Lol no.
      In conversation Saturday, 27-May-2023 05:30:05 JST permalink
    • Embed this notice
      AlabasterBrick ?‍☠️ (alabasterbrick@nicecrew.digital)'s status on Saturday, 27-May-2023 05:32:35 JST AlabasterBrick ?‍☠️ AlabasterBrick ?‍☠️
      in reply to
      • ?? Humpleupagus ??
      • Hunter S. Bloomfer
      You clever dick
      In conversation Saturday, 27-May-2023 05:32:35 JST permalink
    • Embed this notice
      Hunter S. Bloomfer (bloomfer@coolsite.win)'s status on Saturday, 27-May-2023 05:32:36 JST Hunter S. Bloomfer Hunter S. Bloomfer
      in reply to
      • ?? Humpleupagus ??
      • AlabasterBrick ?‍☠️
      What if you are looking at my new PFP?
      In conversation Saturday, 27-May-2023 05:32:36 JST permalink
    • Embed this notice
      ?? Humpleupagus ?? (humpleupagus@eveningzoo.club)'s status on Saturday, 27-May-2023 05:38:16 JST ?? Humpleupagus ?? ?? Humpleupagus ??
      in reply to
      What if I just delete the Zoo? Will it be secure then? 🤔
      In conversation Saturday, 27-May-2023 05:38:16 JST permalink
      Alex Gleason likes this.
    • Embed this notice
      AlabasterBrick ?‍☠️ (alabasterbrick@nicecrew.digital)'s status on Saturday, 27-May-2023 05:40:04 JST AlabasterBrick ?‍☠️ AlabasterBrick ?‍☠️
      in reply to
      • ?? Humpleupagus ??
      • Hunter S. Bloomfer
      *polack nigga
      In conversation Saturday, 27-May-2023 05:40:04 JST permalink
    • Embed this notice
      Hunter S. Bloomfer (bloomfer@coolsite.win)'s status on Saturday, 27-May-2023 05:40:05 JST Hunter S. Bloomfer Hunter S. Bloomfer
      in reply to
      • ?? Humpleupagus ??
      • AlabasterBrick ?‍☠️
      I'm just a silly nigger
      In conversation Saturday, 27-May-2023 05:40:05 JST permalink
    • Embed this notice
      Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 05:47:02 JST Alex Gleason Alex Gleason
      in reply to
      • lainy
      • NEETzsche
      • sapphire
      @lain @sapphire @NEETzsche It's because /media was still exposed in addition to the subdomain.
      In conversation Saturday, 27-May-2023 05:47:02 JST permalink
    • Embed this notice
      Sheriff CJ (The Impostor)?? (colonelj@freespeechextremist.com)'s status on Saturday, 27-May-2023 10:13:33 JST Sheriff CJ (The Impostor)?? Sheriff CJ (The Impostor)??
      in reply to
      @alex I have people saying you guys fixed the wrong thing and are lying to your users hit I'm not a tech guy so it all sounds like mumbo jumbo to me 🤷
      In conversation Saturday, 27-May-2023 10:13:33 JST permalink
      Fediverse Contractor likes this.

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.