itepechi/akkoma
1
0
Fork 0
Code Issues Pull requests Releases Activity
akkoma/test
History
Oneric 066d5b48ed Fix Content-Type sanitisation for emoji and local uploads 
This was accidentally broken in c8e0f7848b
due to a one-letter mistake in the plug option name and an absence of
tests. Therefore it was once again possible to serve e.g. Javascript or
CSS payloads via uploads and emoji.
However due to other protections it was still NOT possible for anyone to
serve any payload with an ActivityPub Content-Type. With the CSP policy
hardening from previous JS payload exloits predating the Content-Type
sanitisation, there is currently no known way of abusing this weakened
Content-Type sanitisation, but should be fixed regardless.

This commit fixes the option name and adds tests to ensure
such a regression doesn't occur again in the future.

Reported-by: Lain Soykaf <lain@lain.com>
2025-03-10 19:45:26 +01:00
..
config remove default emoji file 2022-08-11 19:05:41 +01:00
credo/check/consistency giant massive dep upgrade and dialyxir-found error emporium (#371) 2022-12-14 12:38:48 +00:00
fixtures Prevent key-actor mapping poisoning and key take overs 2025-02-14 22:10:25 +01:00
instance_static URL encode remote emoji pack names (#362) 2023-01-15 18:14:04 +00:00
mix Merge remote-tracking branch 'oneric/varfixes' into develop 2024-10-30 15:15:00 +00:00
pleroma Fix Content-Type sanitisation for emoji and local uploads 2025-03-10 19:45:26 +01:00
support Fix Content-Type sanitisation for emoji and local uploads 2025-03-10 19:45:26 +01:00
test_helper.exs add a snapshot test for api prefixes 2025-02-23 16:51:48 +00:00