bcc528b2e2
By mapping all extensions related to our custom privileged types back to innocuous text/plain, our custom types will never automatically be inserted which was one of the factors making impersonation possible. Note, this does not invalidate the upload and emoji Content-Type restrictions from previous commits. Apart from counterfeit AP objects there are other payloads with standard types this protects against, e.g. *.js Javascript payloads as used in prior frontend injections. |
||
|---|---|---|
| .. | ||
| benchmark.exs | ||
| config.exs | ||
| custom_emoji.txt | ||
| description.exs | ||
| dev.exs | ||
| docker.exs | ||
| dokku.exs | ||
| prod.exs | ||
| test.exs | ||