itepechi/akkoma
1
0
Fork 0
Code Issues Pull requests Releases Activity
akkoma/lib/pleroma/web
History
Oneric a4fa2ec9af StealEmoji: make final paths infeasible to predict 
Certain attacks rely on predictable paths for their payloads.
If we weren’t so overly lax in our (id, URL) check, the current
counterfeit activity exploit would be one of those.
It seems plausible for future attacks to hinge on
or being made easier by predictable paths too.

In general, letting remote actors place arbitrary data at
a path within our domain of their choosing (sans prefix)
just doesn’t seem like a good idea.

Using fully random filenames would have worked as well, but this
is less friendly for admins checking emoji dirs.
The generated suffix should still be more than enough;
an attacker needs on average 140 trillion attempts to
correctly guess the final path.
2024-03-18 22:33:10 -01:00
..
activity_pub StealEmoji: make final paths infeasible to predict 2024-03-18 22:33:10 -01:00
admin_api Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
akkoma_api add selection UI 2023-03-28 12:44:52 +01:00
api_spec Merge branch 'followback' into develop 2024-02-16 13:27:40 +00:00
auth Support elixir1.15 2023-08-03 17:44:09 +01:00
common_api Support elixir1.15 2023-08-03 17:44:09 +01:00
fallback ensure we send the right files for preferred fe 2023-03-12 23:59:10 +00:00
federator
feed Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
mailer
mastodon_api Merge pull request 'Return last_status_at as date, not datetime' (#681) from katafrakt/akkoma:fix-last-status-at into develop 2024-02-17 11:37:19 +00:00
media_proxy
metadata Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
mongoose_im
nodeinfo Mix format 2023-04-14 17:56:34 +01:00
o_auth update tests for oauth consumer 2023-12-17 21:48:19 +00:00
o_status Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
pleroma_api Exclude deactivated users from emoji reaction lists 2023-07-17 17:53:03 +01:00
plugs Limit instance emoji to image types 2024-03-18 22:33:10 -01:00
preload/providers
push Support elixir1.15 2023-08-03 17:44:09 +01:00
rich_media Support elixir1.15 2023-08-03 17:44:09 +01:00
static_fe Fix Twitter metadata 2024-02-19 21:09:43 +00:00
templates Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
twitter_api Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
utils
views Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
web_finger
api_spec.ex
common_api.ex Support elixir1.15 2023-08-03 17:44:09 +01:00
controller_helper.ex
embed_controller.ex Add embed controller tests 2023-07-17 19:18:21 +01:00
endpoint.ex Fix Content-Type of our schema 2024-03-18 22:33:10 -01:00
federator.ex
gettext.ex
instance_document.ex
manifest_controller.ex
masto_fe_controller.ex Migrate to phoenix 1.7 (#626) 2023-08-15 10:22:18 +00:00
media_proxy.ex Drop media proxy same-domain default for base_url 2024-03-18 22:33:10 -01:00
metadata.ex
o_auth.ex
pipelines.ex
plug.ex
preload.ex
push.ex Support elixir1.15 2023-08-03 17:44:09 +01:00
rel_me.ex
router.ex mastodon_api: Add /api/v1/preferences endpoint 2023-08-12 09:28:24 -04:00
streamer.ex Enforce unauth restrictions for public streaming endpoints 2023-06-14 22:45:19 +00:00
swagger.ex
telemetry.ex Use fallbacks of summary metrics for prometheus 2024-02-12 02:00:09 +01:00
translation_helpers.ex
uploader_controller.ex
web_finger.ex Support elixir1.15 2023-08-03 17:44:09 +01:00
xml.ex Add XML matcher 2023-08-07 11:12:14 +01:00