@ringo @ringo no, i'm deliberately unclear here about the exact details because i want to give people a few more hours to add that line to nginx before people with lots of free time start trying to exploit it.

Generally, the average pleroma user should be safe, even if they use mediaproxy. the likelihood that someone who isn't specifically attacked and tricked into clicking something will trigger this exploit is very low.