Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://ryona.agency/objects/b633671b-3e52-484d-a8d6-690533adb353"> (mint@ryona.agency)'s status on Saturday, 27-May-2023 23:13:47 JST</a><a href="https://ryona.agency/users/mint" title="mint@ryona.agency"><img src="https://gnusocial.jp/avatar/1002-48-20220724171046.webp" width="48" height="48" alt="" style="position: absolute; left: 0; top: 0;"></a><div><ul><li><li><a href="https://gnusocial.jp/user/117563" title="purpcat@boks.moe">Some Purple Cat</a></li></ul></div></section><article><a href="https://amala.schwartzwelt.xyz/users/Tadano">@Tadano</a> <a href="https://boks.moe/users/PurpCat">@PurpCat</a> It is, both the CSP header for /media/ and the rich media exploit.<br><a href="https://git.pleroma.social/pleroma/pleroma/-/commit/0d68804aa7efc4f3212e02218804755da93d03f0" rel="nofollow noreferrer">https://git.pleroma.social/pleroma/pleroma/-/commit/0d68804aa7efc4f3212e02218804755da93d03f0</a><br><a href="https://git.pleroma.social/pleroma/pleroma/-/commit/38bcf6b19e3d83cb6c4e6c82d237a26edcab167a" rel="nofollow noreferrer">https://git.pleroma.social/pleroma/pleroma/-/commit/38bcf6b19e3d83cb6c4e6c82d237a26edcab167a</a><br>Moving the media to subdomain might or might not be worth it depending on who you ask. You might also block access to js/html/svg uploads, that's what I did at least before more info dropped.</article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1593588#notice-3142471">In conversation</a><time datetime="2023-05-27T23:13:47+09:00" title="Saturday, 27-May-2023 23:13:47 JST">Saturday, 27-May-2023 23:13:47 JST</time> <span>from <span><a href="https://ryona.agency/objects/b633671b-3e52-484d-a8d6-690533adb353" rel="external" title="Sent from ryona.agency via ActivityPub">ryona.agency</a></span></span><a href="https://ryona.agency/objects/b633671b-3e52-484d-a8d6-690533adb353">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: git.pleroma.social</div><h5><a href="https://git.pleroma.social/pleroma/pleroma/-/commit/0d68804aa7efc4f3212e02218804755da93d03f0">Filter OEmbed HTML tags (0d68804a) · Commits · Pleroma / pleroma · GitLab</a></h5><div></div></header><div>Pleroma backend</div><footer></footer></article></li><li><article><header><div>Domain not in remote thumbnail source whitelist: git.pleroma.social</div><h5><a href="https://git.pleroma.social/pleroma/pleroma/-/commit/38bcf6b19e3d83cb6c4e6c82d237a26edcab167a">MediaProxyController: Apply CSP sandbox (38bcf6b1) · Commits · Pleroma / pleroma · GitLab</a></h5><div></div></header><div>Pleroma backend</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
(mint@ryona.agency)'s status on Saturday, 27-May-2023 23:13:47 JST
- Tadano
- Some Purple Cat
@Tadano @PurpCat It is, both the CSP header for /media/ and the rich media exploit.
https://git.pleroma.social/pleroma/pleroma/-/commit/0d68804aa7efc4f3212e02218804755da93d03f0
https://git.pleroma.social/pleroma/pleroma/-/commit/38bcf6b19e3d83cb6c4e6c82d237a26edcab167a
Moving the media to subdomain might or might not be worth it depending on who you ask. You might also block access to js/html/svg uploads, that's what I did at least before more info dropped.
In conversationSaturday, 27-May-2023 23:13:47 JST from ryona.agencypermalink
Attachments
1. Domain not in remote thumbnail source whitelist: git.pleroma.social
  Filter OEmbed HTML tags (0d68804a) · Commits · Pleroma / pleroma · GitLab
  Pleroma backend
2. Domain not in remote thumbnail source whitelist: git.pleroma.social
  MediaProxyController: Apply CSP sandbox (38bcf6b1) · Commits · Pleroma / pleroma · GitLab
  Pleroma backend

Public

Embed Notice

HTML Code

Corresponding Notice