logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma git clone https://hacktivis.me/git/pleroma.git
commit: 36789986c0b26a4f48ad13ccc5417ff22f85634c
parent 3b289a164386b994965d73a3c8aa61dc93181240
Author: Haelwenn <contact+git.pleroma.social@hacktivis.me>
Date:   Sun, 27 Nov 2022 21:24:44 +0000

Merge branch 'mergeback/2.4.5' into 'develop'

Mergeback: 2.4.5

See merge request pleroma/pleroma!3794

Diffstat:

MCHANGELOG.md14++++++++++++++
Mmix.exs2+-
Mpriv/scrubbers/default.ex3++-
Mpriv/scrubbers/twitter_text.ex3++-
Mtest/pleroma/html_test.exs26++++++++++++++++++++++++++
5 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md @@ -63,6 +63,20 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Removed - Quack, the logging backend that pushes to Slack channels +## 2.4.5 - 2022-08-xx + +## Fixed +- Image `class` attributes not being scrubbed, allowing to exploit frontend special classes [!3792](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3792) +- Delete report notifs when demoting from superuser [!3642](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3642) +- Validate `mediaType` only by it's format rather than using a list [!3597](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3597) +- Pagination: Make mutes and blocks lists behave the same as other lists [!3693](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3693) +- Compatibility with Elixir 1.14 [!3740](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3740) +- Frontend installer: FediFE build URL [!3736](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3736) +- Streaming: Don't stream ChatMessage into the home timeline [!3738](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3738) +- Streaming: Stream local-only posts in the local timeline [!3738](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3738) +- Signatures: Fix `keyId` lookup for GoToSocial [!3725](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3725) +- Validator: Fix `replies` handling for GoToSocial [!3725](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3725) + ## 2.4.4 - 2022-08-19 ### Security diff --git a/mix.exs b/mix.exs @@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do def project do [ app: :pleroma, - version: version("2.4.53"), + version: version("2.4.55"), elixir: "~> 1.10", elixirc_paths: elixirc_paths(Mix.env()), compilers: [:phoenix, :gettext] ++ Mix.compilers(), diff --git a/priv/scrubbers/default.ex b/priv/scrubbers/default.ex @@ -68,13 +68,14 @@ defmodule Pleroma.HTML.Scrubber.Default do @allow_inline_images Pleroma.Config.get([:markup, :allow_inline_images]) if @allow_inline_images do + Meta.allow_tag_with_this_attribute_values(:img, "class", ["emoji"]) + # restrict img tags to http/https only, because of MediaProxy. Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"]) Meta.allow_tag_with_these_attributes(:img, [ "width", "height", - "class", "title", "alt" ]) diff --git a/priv/scrubbers/twitter_text.ex b/priv/scrubbers/twitter_text.ex @@ -45,13 +45,14 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do # allow inline images for custom emoji if Pleroma.Config.get([:markup, :allow_inline_images]) do + Meta.allow_tag_with_this_attribute_values(:img, "class", ["emoji"]) + # restrict img tags to http/https only, because of MediaProxy. Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"]) Meta.allow_tag_with_these_attributes(:img, [ "width", "height", - "class", "title", "alt" ]) diff --git a/test/pleroma/html_test.exs b/test/pleroma/html_test.exs @@ -17,6 +17,7 @@ defmodule Pleroma.HTMLTest do this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a> this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a> this is an image: <img src="http://example.com/image.jpg"><br /> + this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"><br /> <script>alert('hacked')</script> """ @@ -24,6 +25,10 @@ defmodule Pleroma.HTMLTest do <img src="http://example.com/image.jpg" onerror="alert('hacked')"> """ + @html_stillimage_sample """ + <img class="still-image" src="http://example.com/image.jpg"> + """ + @html_span_class_sample """ <span class="animate-spin">hi</span> """ @@ -45,6 +50,7 @@ defmodule Pleroma.HTMLTest do this is a link with allowed &quot;rel&quot; attribute: example.com this is a link with not allowed &quot;rel&quot; attribute: example.com this is an image: + this is an inline emoji: alert(&#39;hacked&#39;) """ @@ -67,6 +73,7 @@ defmodule Pleroma.HTMLTest do this is a link with allowed &quot;rel&quot; attribute: <a href="http://example.com/" rel="tag">example.com</a> this is a link with not allowed &quot;rel&quot; attribute: <a href="http://example.com/">example.com</a> this is an image: <img src="http://example.com/image.jpg"/><br/> + this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"/><br/> alert(&#39;hacked&#39;) """ @@ -90,6 +97,15 @@ defmodule Pleroma.HTMLTest do HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText) end + test "does not allow images with invalid classes" do + expected = """ + <img src="http://example.com/image.jpg"/> + """ + + assert expected == + HTML.filter_tags(@html_stillimage_sample, Pleroma.HTML.Scrubber.TwitterText) + end + test "does allow microformats" do expected = """ <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span> @@ -121,6 +137,7 @@ defmodule Pleroma.HTMLTest do this is a link with allowed &quot;rel&quot; attribute: <a href="http://example.com/" rel="tag">example.com</a> this is a link with not allowed &quot;rel&quot; attribute: <a href="http://example.com/">example.com</a> this is an image: <img src="http://example.com/image.jpg"/><br/> + this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"/><br/> alert(&#39;hacked&#39;) """ @@ -143,6 +160,15 @@ defmodule Pleroma.HTMLTest do assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default) end + test "does not allow images with invalid classes" do + expected = """ + <img src="http://example.com/image.jpg"/> + """ + + assert expected == + HTML.filter_tags(@html_stillimage_sample, Pleroma.HTML.Scrubber.TwitterText) + end + test "does allow microformats" do expected = """ <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>