Conversation
Notices
-
Embed this notice
(mint@ryona.agency)'s status on Saturday, 27-May-2023 23:13:47 JST 
@Tadano @PurpCat It is, both the CSP header for /media/ and the rich media exploit.
https://git.pleroma.social/pleroma/pleroma/-/commit/0d68804aa7efc4f3212e02218804755da93d03f0
https://git.pleroma.social/pleroma/pleroma/-/commit/38bcf6b19e3d83cb6c4e6c82d237a26edcab167a
Moving the media to subdomain might or might not be worth it depending on who you ask. You might also block access to js/html/svg uploads, that's what I did at least before more info dropped.-
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 23:13:45 JST 
Alex Gleason
@mint @Tadano @PurpCat None of these things actually fix the problem. 🤦♂️ Are they really gonna make me fix it? -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 23:23:32 JST
Alex Gleason
@PurpCat @Tadano @mint -
Embed this notice
Some Purple Cat (purpcat@boks.moe)'s status on Saturday, 27-May-2023 23:23:35 JST 
Some Purple Cat
@alex @Tadano @mint pleroma devs trying to fix a security hole -
Embed this notice
Some Purple Cat (purpcat@boks.moe)'s status on Saturday, 27-May-2023 23:44:30 JST
Some Purple Cat
@verita84 @Tadano @alex @mint Alex Gleason likes this. -
Embed this notice
verita84 :Debian_logo: :firefox: :bing: :android: (verita84@poster.place)'s status on Saturday, 27-May-2023 23:44:31 JST 
verita84 :Debian_logo: :firefox: :bing: :android:
@alex @Tadano @PurpCat @mint
The needful must be done sirs :pajeet:
Can you do the needful? :pajeet: -
Embed this notice
feld (feld@bikeshed.party)'s status on Sunday, 28-May-2023 00:14:17 JST 
feld
Explain the problem ?? -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Sunday, 28-May-2023 00:22:10 JST
Alex Gleason
@feld @Tadano @PurpCat @mint It’s twofold:
- We need a new upload filter called MimeFilter that lets you specify a whitelist of mime types with wildcard support, defaulting to audio/*, video/*, image/*
- We need a plug at the end of /media and /proxy which blacklists a specific set of known harmful mimes including application/javascript and svg. Those should be rewritten to text/plain.
Bonus points: sanitizing the oembed html is good, but Pleroma FE actually needs to be patched to put the HTML into a sandboxed iframe. Soapbox doesn’t have this problem because it doesn’t blindly inject the oembed onto the page.
-
Embed this notice
feld (feld@bikeshed.party)'s status on Sunday, 28-May-2023 00:25:21 JST
feld
Yeah we tried building a good mime filter but there's no good way to do it with Elixir right now. Mime/magic database has backwards incompatible changes every update which makes targeting it a nightmare for releases. Jordan/href spent months working and researching this -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Sunday, 28-May-2023 00:27:14 JST
Alex Gleason
@feld @Tadano @PurpCat @mint It works good enough to filter only audio, video, and images. -
Embed this notice
tfw no bpd yandere gf (mischievoustomato@breastmilk.club)'s status on Sunday, 28-May-2023 08:00:44 JST 
tfw no bpd yandere gf
@alex @Tadano @feld @PurpCat @mint lmao, i rmemeber people speculating soapbox was the problem Alex Gleason likes this.
-
Embed this notice
All GNU social JP content and data are available under the