Mark Felder 
								
							 
						 
						
							
							
							
							
								
							
							
								7a2ed2fc90 
								
							 
						 
						
							
							
								
								Credo  
							
							
							
						 
						
							2020-10-06 17:26:31 -05:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Mark Felder 
								
							 
						 
						
							
							
							
							
								
							
							
								d43d05005a 
								
							 
						 
						
							
							
								
								Move hardcoded default configuration into config.exs  
							
							
							
						 
						
							2020-10-06 17:02:46 -05:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Mark Felder 
								
							 
						 
						
							
							
							
							
								
							
							
								35ee759e74 
								
							 
						 
						
							
							
								
								Add helper function to convert single IPs into CIDR format if they were not provided that way  
							
							
							
						 
						
							2020-10-05 11:49:56 -05:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Ivan Tashkinov 
								
							 
						 
						
							
							
							
							
								
							
							
								60b025b782 
								
							 
						 
						
							
							
								
								[ #2074 ] OAuth scope checking in Streaming API.  
							
							
							
						 
						
							2020-09-19 19:16:55 +03:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									lain 
								
							 
						 
						
							
							
							
							
								
							
							
								ea2b5c07e3 
								
							 
						 
						
							
							
								
								Merge branch 'stable' of git.pleroma.social:pleroma/pleroma into pleroma-2.1-rc0  
							
							
							
						 
						
							2020-08-25 15:38:12 +02:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									lain 
								
							 
						 
						
							
							
							
							
								
							
							
								6a25f72a75 
								
							 
						 
						
							
							
								
								FrontendStatic: Work correctly for other frontend types.  
							
							
							
						 
						
							2020-07-29 13:02:48 +02:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									lain 
								
							 
						 
						
							
							
							
							
								
							
							
								ad5c42628a 
								
							 
						 
						
							
							
								
								FrontendStatic: Add plug to serve frontends based on configuration.  
							
							
							
						 
						
							2020-07-28 17:35:16 +02:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									lain 
								
							 
						 
						
							
							
							
							
								
							
							
								14c28dcbd1 
								
							 
						 
						
							
							
								
								InstanceStatic: Refactor.  
							
							
							
						 
						
							2020-07-28 15:44:47 +02:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									feld 
								
							 
						 
						
							
							
							
							
								
							
							
								3f65f2ea79 
								
							 
						 
						
							
							
								
								Merge branch 'feature/1922-media-proxy-whitelist' into 'develop'  
							
							... 
							
							
							
							Support for hosts with scheme in MediaProxy whitelist setting
Closes  #1922 
See merge request pleroma/pleroma!2754  
							
						 
						
							2020-07-14 18:07:44 +00:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Ivan Tashkinov 
								
							 
						 
						
							
							
							
							
								
							
							
								9b225db7d8 
								
							 
						 
						
							
							
								
								[ #1940 ] Applied rate limit for requests with bad admin_token. Added doc warnings on admin_token setting.  
							
							
							
						 
						
							2020-07-14 11:58:41 +03:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Ivan Tashkinov 
								
							 
						 
						
							
							
							
							
								
							
							
								cf3f8cb72a 
								
							 
						 
						
							
							
								
								[ #1940 ] Reinstated OAuth-less admin_token authentication. Refactored UserIsAdminPlug (freed from checking admin scopes presence).  
							
							
							
						 
						
							2020-07-19 21:35:57 +03:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Alexander Strizhakov 
								
							 
						 
						
							
							
								
								
							
							
							
								
							
							
								b376442325 
								
							 
						 
						
							
							
								
								MediaProxy whitelist setting now supports hosts with scheme  
							
							... 
							
							
							
							added deprecation warning about using bare domains 
							
						 
						
							2020-07-12 12:41:40 +03:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Mark Felder 
								
							 
						 
						
							
							
							
							
								
							
							
								d23804f191 
								
							 
						 
						
							
							
								
								Use the Pleroma.Config alias  
							
							
							
						 
						
							2020-07-09 10:53:51 -05:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Mark Felder 
								
							 
						 
						
							
							
							
							
								
							
							
								49c4e24953 
								
							 
						 
						
							
							
								
								Merge branch 'develop' into fix/csp-for-captcha  
							
							
							
						 
						
							2020-07-09 09:08:59 -05:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Mark Felder 
								
							 
						 
						
							
							
							
							
								
							
							
								da4029391d 
								
							 
						 
						
							
							
								
								IO list, not concatenation  
							
							
							
						 
						
							2020-07-06 11:28:08 -05:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Mark Felder 
								
							 
						 
						
							
							
							
							
								
							
							
								65843d92c4 
								
							 
						 
						
							
							
								
								Simplify the logic  
							
							
							
						 
						
							2020-07-06 10:59:41 -05:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									lain 
								
							 
						 
						
							
							
							
							
								
							
							
								158c26d7dd 
								
							 
						 
						
							
							
								
								StaticFE Plug: Use phoenix helper to get the requested format.  
							
							
							
						 
						
							2020-07-06 12:11:10 +02:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Mark Felder 
								
							 
						 
						
							
							
							
							
								
							
							
								af612bd006 
								
							 
						 
						
							
							
								
								Ensure all CSP parameters for remote hosts have a scheme  
							
							
							
						 
						
							2020-07-05 10:11:43 -05:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Mark Felder 
								
							 
						 
						
							
							
							
							
								
							
							
								e9a28078ad 
								
							 
						 
						
							
							
								
								Rename function and clarify that CSP is only strict with MediaProxy enabled  
							
							
							
						 
						
							2020-07-03 17:18:22 -05:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Mark Felder 
								
							 
						 
						
							
							
							
							
								
							
							
								eaa59daa4c 
								
							 
						 
						
							
							
								
								Add Captcha endpoint to CSP headers when MediaProxy is enabled.  
							
							... 
							
							
							
							Our CSP rules are lax when MediaProxy enabled, but lenient otherwise.
This fixes broken captcha on instances not using MediaProxy. 
							
						 
						
							2020-07-03 17:06:20 -05:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									lain 
								
							 
						 
						
							
							
							
							
								
							
							
								a5bbfa21a1 
								
							 
						 
						
							
							
								
								StaticFE: Prioritize json in requests.  
							
							
							
						 
						
							2020-06-26 16:27:39 +02:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Mark Felder 
								
							 
						 
						
							
							
							
							
								
							
							
								2731ea1334 
								
							 
						 
						
							
							
								
								Change references from "deleted_urls" to "banned_urls" as nothing is handled via media deletions anymore; all actions are manual operations by an admin to ban the url  
							
							
							
						 
						
							2020-06-17 13:13:55 -05:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Maksim Pechnikov 
								
							 
						 
						
							
							
							
							
								
							
							
								2e8a236cef 
								
							 
						 
						
							
							
								
								fix invalidates media url's  
							
							
							
						 
						
							2020-06-14 21:02:57 +03:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									feld 
								
							 
						 
						
							
							
							
							
								
							
							
								90676bdfe3 
								
							 
						 
						
							
							
								
								Merge branch 'fix/csp-mediaproxy-base-url' into 'develop'  
							
							... 
							
							
							
							HTTP security plug: add media proxy base url host to csp
See merge request pleroma/pleroma!2638  
							
						 
						
							2020-06-12 20:43:59 +03:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									rinpatch 
								
							 
						 
						
							
							
							
							
								
							
							
								cd2df734dd 
								
							 
						 
						
							
							
								
								Merge branch 'bugfix/csp-unproxied' into 'develop'  
							
							... 
							
							
							
							http_security_plug.ex: Fix non-proxied media
See merge request pleroma/pleroma!2610  
							
						 
						
							2020-06-12 20:43:36 +03:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Haelwenn (lanodan) Monnier 
								
							 
						 
						
							
							
							
							
								
							
							
								e313aa0977 
								
							 
						 
						
							
							
								
								static-fe.css: Restore and move to /priv/static/static-fe  
							
							
							
						 
						
							2020-06-12 20:42:43 +03:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Mark Felder 
								
							 
						 
						
							
							
							
							
								
							
							
								7f7a1a4676 
								
							 
						 
						
							
							
								
								Check for media proxy base_url, not Upload base_url  
							
							
							
						 
						
							2020-06-11 11:05:22 -05:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									rinpatch 
								
							 
						 
						
							
							
							
							
								
							
							
								99afc7f4e4 
								
							 
						 
						
							
							
								
								HTTP security plug: add media proxy base url host to csp  
							
							
							
						 
						
							2020-06-10 20:09:16 +03:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									rinpatch 
								
							 
						 
						
							
							
							
							
								
							
							
								a51284b60a 
								
							 
						 
						
							
							
								
								Merge branch 'fix/mediaproxy-bypass-emoji' into 'develop'  
							
							... 
							
							
							
							Fix profile emojis bypassing mediaproxy and harden CSP
Closes  #1810 
See merge request pleroma/pleroma!2596  
							
						 
						
							2020-06-08 00:58:30 +03:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									rinpatch 
								
							 
						 
						
							
							
							
							
								
							
							
								d23b3701d8 
								
							 
						 
						
							
							
								
								Merge branch 'bugfix/csp-unproxied' into 'develop'  
							
							... 
							
							
							
							http_security_plug.ex: Fix non-proxied media
See merge request pleroma/pleroma!2610  
							
						 
						
							2020-05-29 21:23:49 +00:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									rinpatch 
								
							 
						 
						
							
							
							
							
								
							
							
								109af93227 
								
							 
						 
						
							
							
								
								Apply suggestion to lib/pleroma/plugs/http_security_plug.ex  
							
							
							
						 
						
							2020-05-29 21:15:07 +00:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Alex Gleason 
								
							 
						 
						
							
							
								
								
							
							
							
								
							
							
								d38f28870e 
								
							 
						 
						
							
							
								
								Add blob: to connect-src CSP  
							
							
							
						 
						
							2020-05-29 11:08:17 -05:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Haelwenn (lanodan) Monnier 
								
							 
						 
						
							
							
								
								
							
							
							
								
							
							
								da1e31fae3 
								
							 
						 
						
							
							
								
								http_security_plug.ex: Fix non-proxied media  
							
							
							
						 
						
							2020-05-29 17:20:09 +02:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									rinpatch 
								
							 
						 
						
							
							
							
							
								
							
							
								27180611df 
								
							 
						 
						
							
							
								
								HTTP Security plug: make starting csp string generation more readable  
							
							
							
						 
						
							2020-05-29 12:32:48 +03:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									rinpatch 
								
							 
						 
						
							
							
							
							
								
							
							
								29ff6d414b 
								
							 
						 
						
							
							
								
								HTTP security plug: Harden img-src and media-src when MediaProxy is enabled  
							
							
							
						 
						
							2020-05-27 21:41:19 +03:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									rinpatch 
								
							 
						 
						
							
							
							
							
								
							
							
								455a402c8a 
								
							 
						 
						
							
							
								
								HTTP Security plug: rewrite &csp_string/0  
							
							... 
							
							
							
							- Directives are now separated with ";" instead of " ;",
according to https://www.w3.org/TR/CSP2/#policy-parsing 
the space is optional
- Use an IO list, which at the end gets converted to a binary as
opposed to ++ing a bunch of arrays with binaries together and joining
them to a string. I doubt it gives any significant real world advantage,
but the code is cleaner and now I can sleep at night.
- The static part of csp is pre-joined to a single binary at compile time.
Same reasoning as the last point. 
							
						 
						
							2020-05-27 21:31:47 +03:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									lain 
								
							 
						 
						
							
							
							
							
								
							
							
								bfdd90f6d7 
								
							 
						 
						
							
							
								
								AuthenticationPlug: Also update crypt passwords.  
							
							
							
						 
						
							2020-05-17 11:40:25 +02:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									lain 
								
							 
						 
						
							
							
							
							
								
							
							
								baef35bcc8 
								
							 
						 
						
							
							
								
								Authentication Plug: Update bcrypt password on login.  
							
							
							
						 
						
							2020-05-17 10:31:01 +02:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Alex Gleason 
								
							 
						 
						
							
							
								
								
							
							
							
								
							
							
								5b0f27d23d 
								
							 
						 
						
							
							
								
								Pbkdf2.verify_pass --> AuthenticationPlug.checkpw  
							
							
							
						 
						
							2020-05-14 08:57:38 -05:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Alex Gleason 
								
							 
						 
						
							
							
								
								
							
							
							
								
							
							
								9cbf17d59f 
								
							 
						 
						
							
							
								
								Handle bcrypt passwords for Mastodon migration  
							
							
							
						 
						
							2020-05-13 10:53:56 -05:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Alex Gleason 
								
							 
						 
						
							
							
								
								
							
							
							
								
							
							
								b46811a074 
								
							 
						 
						
							
							
								
								Upgrade Comeonin to v5  
							
							... 
							
							
							
							https://github.com/riverrun/comeonin/blob/master/UPGRADE_v5.md  
						
							2020-05-12 17:14:59 -05:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Maksim 
								
							 
						 
						
							
							
							
							
								
							
							
								3d0c567fbc 
								
							 
						 
						
							
							
								
								Pleroma.Web.TwitterAPI.TwoFactorAuthenticationController -> Pleroma.Web.PleromaAPI.TwoFactorAuthenticationController  
							
							
							
						 
						
							2020-05-07 08:14:54 +00:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									lain 
								
							 
						 
						
							
							
							
							
								
							
							
								07e7c80bc9 
								
							 
						 
						
							
							
								
								Merge branch 'plug-if-unless-func-options-refactoring' into 'develop'  
							
							... 
							
							
							
							Refactoring of :if_func / :unless_func plug options
See merge request pleroma/pleroma!2446  
							
						 
						
							2020-05-06 09:14:05 +00:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Haelwenn (lanodan) Monnier 
								
							 
						 
						
							
							
								
								
							
							
							
								
							
							
								c6ddfa8f95 
								
							 
						 
						
							
							
								
								static-fe.css: Restore and move to /priv/static/static-fe  
							
							
							
						 
						
							2020-05-02 08:28:42 +02:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									rinpatch 
								
							 
						 
						
							
							
							
							
								
							
							
								b6ca8cc539 
								
							 
						 
						
							
							
								
								Merge branch 'bugfix/1727-fix-signature-decoding' into 'develop'  
							
							... 
							
							
							
							Bugfix/1727 fix signature decoding
Closes  #1727 
See merge request pleroma/pleroma!2454  
							
						 
						
							2020-05-01 22:10:42 +03:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									lain 
								
							 
						 
						
							
							
							
							
								
							
							
								3453e54e6b 
								
							 
						 
						
							
							
								
								MappedSignatureToIdentityPlug: Fix.  
							
							
							
						 
						
							2020-05-01 15:58:47 +02:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									lain 
								
							 
						 
						
							
							
							
							
								
							
							
								a4afeed426 
								
							 
						 
						
							
							
								
								Uploads: Sandbox them in the CSP.  
							
							
							
						 
						
							2020-05-01 01:37:26 +03:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Ivan Tashkinov 
								
							 
						 
						
							
							
							
							
								
							
							
								862d4886c9 
								
							 
						 
						
							
							
								
								[ #1682 ] Fixed Basic Auth permissions issue by disabling OAuth scopes checks when password is provided. Refactored plugs skipping functionality.  
							
							
							
						 
						
							2020-05-01 01:00:37 +03:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									rinpatch 
								
							 
						 
						
							
							
							
							
								
							
							
								da4923f2e5 
								
							 
						 
						
							
							
								
								Merge branch 'authenticated-api-oauth-check-enforcement' into 'develop'  
							
							... 
							
							
							
							Enforcement of OAuth scopes check for authenticated API endpoints
See merge request pleroma/pleroma!2349  
							
						 
						
							2020-05-01 00:58:40 +03:00 
							
								 
							
						 
					 
				
					
						
							
								
								
									Alex Gleason 
								
							 
						 
						
							
							
							
							
								
							
							
								6e0b046771 
								
							 
						 
						
							
							
								
								Let blob: pass CSP  
							
							
							
						 
						
							2020-05-01 00:40:09 +03:00