Merge branch 'mergeback/2.4.5' into 'develop'

Mergeback: 2.4.5 See merge request pleroma/pleroma!3794
author: Haelwenn <contact+git.pleroma.social@hacktivis.me> 2022-11-27 21:24:44 +0000
committer: Haelwenn <contact+git.pleroma.social@hacktivis.me> 2022-11-27 21:24:44 +0000
commit: 36789986c0b26a4f48ad13ccc5417ff22f85634c (patch)
tree: 263c3104fce91e3f7c09c2f74f58203a6a937338
parent: 3b289a164386b994965d73a3c8aa61dc93181240 (diff)
parent: f6d55e1e7774492bb5b86b7d9bbc05ae9475eb4c (diff)
5 files changed, 45 insertions, 3 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e95bda145..ec34ec91e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -63,6 +63,20 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Removed
 - Quack, the logging backend that pushes to Slack channels
 
+## 2.4.5 - 2022-08-xx
+
+## Fixed
+- Image `class` attributes not being scrubbed, allowing to exploit frontend special classes [!3792](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3792)
+- Delete report notifs when demoting from superuser [!3642](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3642)
+- Validate `mediaType` only by it's format rather than using a list [!3597](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3597)
+- Pagination: Make mutes and blocks lists behave the same as other lists [!3693](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3693)
+- Compatibility with Elixir 1.14 [!3740](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3740)
+- Frontend installer: FediFE build URL [!3736](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3736)
+- Streaming: Don't stream ChatMessage into the home timeline [!3738](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3738)
+- Streaming: Stream local-only posts in the local timeline [!3738](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3738)
+- Signatures: Fix `keyId` lookup for GoToSocial [!3725](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3725)
+- Validator: Fix `replies` handling for GoToSocial [!3725](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3725)
+
 ## 2.4.4 - 2022-08-19
 
 ### Security
diff --git a/mix.exs b/mix.exs
index 26a9b2826..eb635cac9 100644
--- a/mix.exs
+++ b/mix.exs
@@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
   def project do
     [
       app: :pleroma,
-      version: version("2.4.53"),
+      version: version("2.4.55"),
       elixir: "~> 1.10",
       elixirc_paths: elixirc_paths(Mix.env()),
       compilers: [:phoenix, :gettext] ++ Mix.compilers(),
diff --git a/priv/scrubbers/default.ex b/priv/scrubbers/default.ex
index 79fa6dcdf..e10e3ec87 100644
--- a/priv/scrubbers/default.ex
+++ b/priv/scrubbers/default.ex
@@ -68,13 +68,14 @@ defmodule Pleroma.HTML.Scrubber.Default do
   @allow_inline_images Pleroma.Config.get([:markup, :allow_inline_images])
 
   if @allow_inline_images do
+    Meta.allow_tag_with_this_attribute_values(:img, "class", ["emoji"])
+
     # restrict img tags to http/https only, because of MediaProxy.
     Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"])
 
     Meta.allow_tag_with_these_attributes(:img, [
       "width",
       "height",
-      "class",
       "title",
       "alt"
     ])
diff --git a/priv/scrubbers/twitter_text.ex b/priv/scrubbers/twitter_text.ex
index a121a8209..6e23b3efb 100644
--- a/priv/scrubbers/twitter_text.ex
+++ b/priv/scrubbers/twitter_text.ex
@@ -45,13 +45,14 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
 
   # allow inline images for custom emoji
   if Pleroma.Config.get([:markup, :allow_inline_images]) do
+    Meta.allow_tag_with_this_attribute_values(:img, "class", ["emoji"])
+
     # restrict img tags to http/https only, because of MediaProxy.
     Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"])
 
     Meta.allow_tag_with_these_attributes(:img, [
       "width",
       "height",
-      "class",
       "title",
       "alt"
     ])
diff --git a/test/pleroma/html_test.exs b/test/pleroma/html_test.exs
index 970baf63b..b99689903 100644
--- a/test/pleroma/html_test.exs
+++ b/test/pleroma/html_test.exs
@@ -17,6 +17,7 @@ defmodule Pleroma.HTMLTest do
     this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
     this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
     this is an image: <img src="http://example.com/image.jpg"><br />
+    this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"><br />
     <script>alert('hacked')</script>
   """
 
@@ -24,6 +25,10 @@ defmodule Pleroma.HTMLTest do
   <img src="http://example.com/image.jpg" onerror="alert('hacked')">
   """
 
+  @html_stillimage_sample """
+  <img class="still-image" src="http://example.com/image.jpg">
+  """
+
   @html_span_class_sample """
   <span class="animate-spin">hi</span>
   """
@@ -45,6 +50,7 @@ defmodule Pleroma.HTMLTest do
         this is a link with allowed &quot;rel&quot; attribute: example.com
         this is a link with not allowed &quot;rel&quot; attribute: example.com
         this is an image: 
+        this is an inline emoji: 
         alert(&#39;hacked&#39;)
       """
 
@@ -67,6 +73,7 @@ defmodule Pleroma.HTMLTest do
         this is a link with allowed &quot;rel&quot; attribute: <a href="http://example.com/" rel="tag">example.com</a>
         this is a link with not allowed &quot;rel&quot; attribute: <a href="http://example.com/">example.com</a>
         this is an image: <img src="http://example.com/image.jpg"/><br/>
+        this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"/><br/>
         alert(&#39;hacked&#39;)
       """
 
@@ -90,6 +97,15 @@ defmodule Pleroma.HTMLTest do
                HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
     end
 
+    test "does not allow images with invalid classes" do
+      expected = """
+      <img src="http://example.com/image.jpg"/>
+      """
+
+      assert expected ==
+               HTML.filter_tags(@html_stillimage_sample, Pleroma.HTML.Scrubber.TwitterText)
+    end
+
     test "does allow microformats" do
       expected = """
       <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
@@ -121,6 +137,7 @@ defmodule Pleroma.HTMLTest do
         this is a link with allowed &quot;rel&quot; attribute: <a href="http://example.com/" rel="tag">example.com</a>
         this is a link with not allowed &quot;rel&quot; attribute: <a href="http://example.com/">example.com</a>
         this is an image: <img src="http://example.com/image.jpg"/><br/>
+        this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"/><br/>
         alert(&#39;hacked&#39;)
       """
 
@@ -143,6 +160,15 @@ defmodule Pleroma.HTMLTest do
       assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
     end
 
+    test "does not allow images with invalid classes" do
+      expected = """
+      <img src="http://example.com/image.jpg"/>
+      """
+
+      assert expected ==
+               HTML.filter_tags(@html_stillimage_sample, Pleroma.HTML.Scrubber.TwitterText)
+    end
+
     test "does allow microformats" do
       expected = """
       <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
author	Haelwenn <contact+git.pleroma.social@hacktivis.me>	2022-11-27 21:24:44 +0000
committer	Haelwenn <contact+git.pleroma.social@hacktivis.me>	2022-11-27 21:24:44 +0000
commit	36789986c0b26a4f48ad13ccc5417ff22f85634c (patch)
tree	263c3104fce91e3f7c09c2f74f58203a6a937338
parent	3b289a164386b994965d73a3c8aa61dc93181240 (diff)
parent	f6d55e1e7774492bb5b86b7d9bbc05ae9475eb4c (diff)