summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorrinpatch <rinpatch@sdf.org>2020-05-10 17:13:03 +0000
committerrinpatch <rinpatch@sdf.org>2020-05-10 17:13:03 +0000
commita6283bbae13a873af969336bd4e62011777a1a70 (patch)
tree12ddd0c3bf128fe0d897ca75c044726666f20207
parent019a192e43c2421c74e5126e753aac095db8ad54 (diff)
parent489201d5d549a1ad32bf55d7a29d53c8f2316f14 (diff)
Merge branch 'release/2.0.4' into 'stable'v2.0.4
Release/2.0.4 See merge request pleroma/pleroma!2503
-rw-r--r--CHANGELOG.md25
-rw-r--r--config/description.exs1
-rw-r--r--installation/pleroma-apache.conf3
-rw-r--r--lib/pleroma/healthcheck.ex2
-rw-r--r--lib/pleroma/web/activity_pub/activity_pub_controller.ex11
-rw-r--r--lib/pleroma/web/web_finger/web_finger.ex6
-rw-r--r--mix.exs12
-rw-r--r--priv/repo/migrations/20200428221338_insert_skeletons_for_deleted_users.exs2
-rw-r--r--test/support/http_request_mock.ex14
-rw-r--r--test/web/activity_pub/activity_pub_controller_test.exs83
10 files changed, 125 insertions, 34 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f3394ecbc..f01dc3bd2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,31 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+## [2.0.4] - 2020-05-10
+
+### Security
+- AP C2S: Fix a potential DoS by creating nonsensical objects that break timelines
+
+### Fixed
+- Peertube user lookups not working
+- `InsertSkeletonsForDeletedUsers` migration failing on some instances
+- Healthcheck reporting the number of memory currently used, rather than allocated in total
+- LDAP not being usable in OTP releases
+- Default apache configuration having tls chain issues
+
+### Upgrade notes
+
+#### Apache only
+
+1. Remove the following line from your config:
+```
+ SSLCertificateFile /etc/letsencrypt/live/${servername}/cert.pem
+```
+
+#### Everyone
+
+1. Restart Pleroma
+
## [2.0.3] - 2020-05-02
### Security
diff --git a/config/description.exs b/config/description.exs
index 5a1e9e9af..2623e3683 100644
--- a/config/description.exs
+++ b/config/description.exs
@@ -2260,6 +2260,7 @@ config :pleroma, :config_description, [
children: [
%{
key: :active,
+ label: "Enabled",
type: :boolean,
description: "Globally enable or disable digest emails"
},
diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf
index b5640ac3d..0d627f2d7 100644
--- a/installation/pleroma-apache.conf
+++ b/installation/pleroma-apache.conf
@@ -32,9 +32,8 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined
<VirtualHost *:443>
SSLEngine on
- SSLCertificateFile /etc/letsencrypt/live/${servername}/cert.pem
+ SSLCertificateFile /etc/letsencrypt/live/${servername}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/${servername}/privkey.pem
- SSLCertificateChainFile /etc/letsencrypt/live/${servername}/fullchain.pem
# Mozilla modern configuration, tweak to your needs
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
diff --git a/lib/pleroma/healthcheck.ex b/lib/pleroma/healthcheck.ex
index 8f7f43ec2..92ce83cb7 100644
--- a/lib/pleroma/healthcheck.ex
+++ b/lib/pleroma/healthcheck.ex
@@ -29,7 +29,7 @@ defmodule Pleroma.Healthcheck do
@spec system_info() :: t()
def system_info do
%Healthcheck{
- memory_used: Float.round(:erlang.memory(:total) / 1024 / 1024, 2)
+ memory_used: Float.round(:recon_alloc.memory(:allocated) / 1024 / 1024, 2)
}
|> assign_db_info()
|> assign_job_queue_stats()
diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
index 779de0e4d..2bb5bd15b 100644
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -370,7 +370,10 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
|> json(err)
end
- def handle_user_activity(user, %{"type" => "Create"} = params) do
+ defp handle_user_activity(
+ %User{} = user,
+ %{"type" => "Create", "object" => %{"type" => "Note"}} = params
+ ) do
object =
params["object"]
|> Map.merge(Map.take(params, ["to", "cc"]))
@@ -386,7 +389,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
})
end
- def handle_user_activity(user, %{"type" => "Delete"} = params) do
+ defp handle_user_activity(user, %{"type" => "Delete"} = params) do
with %Object{} = object <- Object.normalize(params["object"]),
true <- user.is_moderator || user.ap_id == object.data["actor"],
{:ok, delete} <- ActivityPub.delete(object) do
@@ -396,7 +399,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
end
end
- def handle_user_activity(user, %{"type" => "Like"} = params) do
+ defp handle_user_activity(user, %{"type" => "Like"} = params) do
with %Object{} = object <- Object.normalize(params["object"]),
{:ok, activity, _object} <- ActivityPub.like(user, object) do
{:ok, activity}
@@ -405,7 +408,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
end
end
- def handle_user_activity(_, _) do
+ defp handle_user_activity(_, _) do
{:error, dgettext("errors", "Unhandled activity type")}
end
diff --git a/lib/pleroma/web/web_finger/web_finger.ex b/lib/pleroma/web/web_finger/web_finger.ex
index 43a81c75d..8f71820d7 100644
--- a/lib/pleroma/web/web_finger/web_finger.ex
+++ b/lib/pleroma/web/web_finger/web_finger.ex
@@ -193,13 +193,15 @@ defmodule Pleroma.Web.WebFinger do
URI.parse(account).host
end
+ encoded_account = URI.encode("acct:#{account}")
+
address =
case find_lrdd_template(domain) do
{:ok, template} ->
- String.replace(template, "{uri}", URI.encode(account))
+ String.replace(template, "{uri}", encoded_account)
_ ->
- "https://#{domain}/.well-known/webfinger?resource=acct:#{account}"
+ "https://#{domain}/.well-known/webfinger?resource=#{encoded_account}"
end
with response <-
diff --git a/mix.exs b/mix.exs
index 3f3990ea2..9f9679f62 100644
--- a/mix.exs
+++ b/mix.exs
@@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
def project do
[
app: :pleroma,
- version: version("2.0.3"),
+ version: version("2.0.4"),
elixir: "~> 1.8",
elixirc_paths: elixirc_paths(Mix.env()),
compilers: [:phoenix, :gettext] ++ Mix.compilers(),
@@ -63,7 +63,15 @@ defmodule Pleroma.Mixfile do
def application do
[
mod: {Pleroma.Application, []},
- extra_applications: [:logger, :runtime_tools, :comeonin, :quack, :fast_sanitize, :ssl],
+ extra_applications: [
+ :logger,
+ :runtime_tools,
+ :comeonin,
+ :quack,
+ :fast_sanitize,
+ :ssl,
+ :eldap
+ ],
included_applications: [:ex_syslogger]
]
end
diff --git a/priv/repo/migrations/20200428221338_insert_skeletons_for_deleted_users.exs b/priv/repo/migrations/20200428221338_insert_skeletons_for_deleted_users.exs
index 11d9a70ba..2adc38186 100644
--- a/priv/repo/migrations/20200428221338_insert_skeletons_for_deleted_users.exs
+++ b/priv/repo/migrations/20200428221338_insert_skeletons_for_deleted_users.exs
@@ -30,7 +30,7 @@ defmodule Pleroma.Repo.Migrations.InsertSkeletonsForDeletedUsers do
Repo,
"select distinct unnest(nonexistent_locals.recipients) from activities, lateral (select array_agg(recipient) as recipients from unnest(activities.recipients) as recipient where recipient similar to '#{
instance_uri
- }/users/[A-Za-z0-9]*' and not(recipient in (select ap_id from users where local = true))) nonexistent_locals;",
+ }/users/[A-Za-z0-9]*' and not(recipient in (select ap_id from users))) nonexistent_locals;",
[],
timeout: :infinity
)
diff --git a/test/support/http_request_mock.ex b/test/support/http_request_mock.ex
index 79ab129fd..890a43cc1 100644
--- a/test/support/http_request_mock.ex
+++ b/test/support/http_request_mock.ex
@@ -211,7 +211,7 @@ defmodule HttpRequestMock do
end
def get(
- "https://squeet.me/xrd/?uri=lain@squeet.me",
+ "https://squeet.me/xrd/?uri=acct:lain@squeet.me",
_,
_,
Accept: "application/xrd+xml,application/jrd+json"
@@ -850,7 +850,7 @@ defmodule HttpRequestMock do
end
def get(
- "https://social.heldscal.la/.well-known/webfinger?resource=shp@social.heldscal.la",
+ "https://social.heldscal.la/.well-known/webfinger?resource=acct:shp@social.heldscal.la",
_,
_,
Accept: "application/xrd+xml,application/jrd+json"
@@ -863,7 +863,7 @@ defmodule HttpRequestMock do
end
def get(
- "https://social.heldscal.la/.well-known/webfinger?resource=invalid_content@social.heldscal.la",
+ "https://social.heldscal.la/.well-known/webfinger?resource=acct:invalid_content@social.heldscal.la",
_,
_,
Accept: "application/xrd+xml,application/jrd+json"
@@ -880,7 +880,7 @@ defmodule HttpRequestMock do
end
def get(
- "http://framatube.org/main/xrd?uri=framasoft@framatube.org",
+ "http://framatube.org/main/xrd?uri=acct:framasoft@framatube.org",
_,
_,
Accept: "application/xrd+xml,application/jrd+json"
@@ -939,7 +939,7 @@ defmodule HttpRequestMock do
end
def get(
- "https://gerzilla.de/xrd/?uri=kaniini@gerzilla.de",
+ "https://gerzilla.de/xrd/?uri=acct:kaniini@gerzilla.de",
_,
_,
Accept: "application/xrd+xml,application/jrd+json"
@@ -1135,7 +1135,7 @@ defmodule HttpRequestMock do
end
def get(
- "https://zetsubou.xn--q9jyb4c/.well-known/webfinger?resource=lain@zetsubou.xn--q9jyb4c",
+ "https://zetsubou.xn--q9jyb4c/.well-known/webfinger?resource=acct:lain@zetsubou.xn--q9jyb4c",
_,
_,
Accept: "application/xrd+xml,application/jrd+json"
@@ -1148,7 +1148,7 @@ defmodule HttpRequestMock do
end
def get(
- "https://zetsubou.xn--q9jyb4c/.well-known/webfinger?resource=https://zetsubou.xn--q9jyb4c/users/lain",
+ "https://zetsubou.xn--q9jyb4c/.well-known/webfinger?resource=acct:https://zetsubou.xn--q9jyb4c/users/lain",
_,
_,
Accept: "application/xrd+xml,application/jrd+json"
diff --git a/test/web/activity_pub/activity_pub_controller_test.exs b/test/web/activity_pub/activity_pub_controller_test.exs
index b2352538a..c418232da 100644
--- a/test/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/web/activity_pub/activity_pub_controller_test.exs
@@ -652,9 +652,25 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
assert response(conn, 200) =~ announce_activity.data["object"]
end
+ end
+
+ describe "POST /users/:nickname/outbox (C2S)" do
+ setup do
+ [
+ activity: %{
+ "@context" => "https://www.w3.org/ns/activitystreams",
+ "type" => "Create",
+ "object" => %{"type" => "Note", "content" => "AP C2S test"},
+ "to" => "https://www.w3.org/ns/activitystreams#Public",
+ "cc" => []
+ }
+ ]
+ end
- test "it rejects posts from other users", %{conn: conn} do
- data = File.read!("test/fixtures/activitypub-client-post-activity.json") |> Poison.decode!()
+ test "it rejects posts from other users / unauthenticated users", %{
+ conn: conn,
+ activity: activity
+ } do
user = insert(:user)
otheruser = insert(:user)
@@ -662,39 +678,76 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
conn
|> assign(:user, otheruser)
|> put_req_header("content-type", "application/activity+json")
- |> post("/users/#{user.nickname}/outbox", data)
+ |> post("/users/#{user.nickname}/outbox", activity)
assert json_response(conn, 403)
end
- test "it inserts an incoming create activity into the database", %{conn: conn} do
- data = File.read!("test/fixtures/activitypub-client-post-activity.json") |> Poison.decode!()
+ test "it inserts an incoming create activity into the database", %{
+ conn: conn,
+ activity: activity
+ } do
user = insert(:user)
- conn =
+ result =
conn
|> assign(:user, user)
|> put_req_header("content-type", "application/activity+json")
- |> post("/users/#{user.nickname}/outbox", data)
-
- result = json_response(conn, 201)
+ |> post("/users/#{user.nickname}/outbox", activity)
+ |> json_response(201)
assert Activity.get_by_ap_id(result["id"])
+ assert result["object"]
+ assert %Object{data: object} = Object.normalize(result["object"])
+ assert object["content"] == activity["object"]["content"]
end
- test "it rejects an incoming activity with bogus type", %{conn: conn} do
- data = File.read!("test/fixtures/activitypub-client-post-activity.json") |> Poison.decode!()
+ test "it rejects anything beyond 'Note' creations", %{conn: conn, activity: activity} do
user = insert(:user)
- data =
- data
- |> Map.put("type", "BadType")
+ activity =
+ activity
+ |> put_in(["object", "type"], "Benis")
+
+ _result =
+ conn
+ |> assign(:user, user)
+ |> put_req_header("content-type", "application/activity+json")
+ |> post("/users/#{user.nickname}/outbox", activity)
+ |> json_response(400)
+ end
+
+ test "it inserts an incoming sensitive activity into the database", %{
+ conn: conn,
+ activity: activity
+ } do
+ user = insert(:user)
+ object = Map.put(activity["object"], "sensitive", true)
+ activity = Map.put(activity, "object", object)
+
+ result =
+ conn
+ |> assign(:user, user)
+ |> put_req_header("content-type", "application/activity+json")
+ |> post("/users/#{user.nickname}/outbox", activity)
+ |> json_response(201)
+
+ assert Activity.get_by_ap_id(result["id"])
+ assert result["object"]
+ assert %Object{data: object} = Object.normalize(result["object"])
+ assert object["sensitive"] == activity["object"]["sensitive"]
+ assert object["content"] == activity["object"]["content"]
+ end
+
+ test "it rejects an incoming activity with bogus type", %{conn: conn, activity: activity} do
+ user = insert(:user)
+ activity = Map.put(activity, "type", "BadType")
conn =
conn
|> assign(:user, user)
|> put_req_header("content-type", "application/activity+json")
- |> post("/users/#{user.nickname}/outbox", data)
+ |> post("/users/#{user.nickname}/outbox", activity)
assert json_response(conn, 400)
end