pleroma issueshttps://git.pleroma.social/pleroma/pleroma/-/issues2023-07-02T15:06:21Zhttps://git.pleroma.social/pleroma/pleroma/-/issues/3142Failure to parse paginated featured collection2023-07-02T15:06:21Zsilverpill silverpillFailure to parse paginated featured collectionIf actor's `featured` collection doesn't have `orderedItems` property (and has a pointer to `OrderedCollectionPage` instead), signature check fails, incoming activity gets dropped and `{"errors":{"detail":"Internal server error"}}` respo...If actor's `featured` collection doesn't have `orderedItems` property (and has a pointer to `OrderedCollectionPage` instead), signature check fails, incoming activity gets dropped and `{"errors":{"detail":"Internal server error"}}` response is returned.
I guess the error comes for [`pin_data_from_featured_collection`](https://git.pleroma.social/pleroma/pleroma/-/blob/043a00991dec09f5804df1db1fdc1b1179843453/lib/pleroma/web/activity_pub/activity_pub.ex#L1712).https://git.pleroma.social/pleroma/pleroma/-/issues/3138PUT /api/v1/statuses/:id missing media_attributes2023-07-07T23:02:49ZwebbPUT /api/v1/statuses/:id missing media_attributesThere is an undocumented field in ``PUT /api/v1/statuses/:id`` that allows media to be edited after upload.
https://github.com/mastodon/mastodon/pull/20878
Did a quick grep of the codebase, there doesn't seem to be any reference to thi...There is an undocumented field in ``PUT /api/v1/statuses/:id`` that allows media to be edited after upload.
https://github.com/mastodon/mastodon/pull/20878
Did a quick grep of the codebase, there doesn't seem to be any reference to this. This breaks editing alt text for clients that don't use the Pleroma-specific behaviour of allowing calls to ``PUT /api/v1/media/:id`` after the post the attachment was for has been made.https://git.pleroma.social/pleroma/pleroma/-/issues/3137Internal links don't load the page properly (unless opened in a new tab)2023-06-19T00:08:21ZLotte VInternal links don't load the page properly (unless opened in a new tab)<!--
### Precheck
* For support use https://git.pleroma.social/pleroma/pleroma-support or [community channels](https://git.pleroma.social/pleroma/pleroma#community-channels).
* Please do a quick search to ensure no similar bug has been ...<!--
### Precheck
* For support use https://git.pleroma.social/pleroma/pleroma-support or [community channels](https://git.pleroma.social/pleroma/pleroma#community-channels).
* Please do a quick search to ensure no similar bug has been reported before. If the bug has not been addressed after 2 weeks, it's fine to bump it.
* Try to ensure that the bug is actually related to the Pleroma backend. For example, if a bug happens in Pleroma-FE but not in Mastodon-FE or mobile clients, it's likely that the bug should be filed in [Pleroma-FE](https://git.pleroma.social/pleroma/pleroma-fe/issues/new) repository.
-->
### Environment
* **Installation type (OTP or From Source):** From source
* **Pleroma version (could be found in the "Version" tab of settings in Pleroma-FE):** 2.5.52-235-g589301ce-develop
* **Elixir version (`elixir -v` for from source installations, N/A for OTP):** 1.13.0
* **Operating system:** Debian 10 (Buster)
* **PostgreSQL version (`psql -V`):** 11.12
### Bug description
Whenever I click on a link to load a different page from my instance, the page does not load properly. I have to refresh every single time I click on an internal link, or open the link in a new tab. I can work around this most of the time, but for example, right now I am unable to log out unless I clear my instance's cookies (since I can't open that in a new tab). This is quite the hassle and not something I want to do every single time. It's the same way in every browser, so that can't be the issue either.
I also can't collapse threads anymore for some reason, though if I should make a separate issue about this, I will. Though my suspicion is that the two are related.https://git.pleroma.social/pleroma/pleroma/-/issues/3136Can upload (but not display) media2023-07-06T14:11:12ZThom CatCan upload (but not display) media<!--
### Precheck
* For support use https://git.pleroma.social/pleroma/pleroma-support or [community channels](https://git.pleroma.social/pleroma/pleroma#community-channels).
* Please do a quick search to ensure no similar bug has been ...<!--
### Precheck
* For support use https://git.pleroma.social/pleroma/pleroma-support or [community channels](https://git.pleroma.social/pleroma/pleroma#community-channels).
* Please do a quick search to ensure no similar bug has been reported before. If the bug has not been addressed after 2 weeks, it's fine to bump it.
* Try to ensure that the bug is actually related to the Pleroma backend. For example, if a bug happens in Pleroma-FE but not in Mastodon-FE or mobile clients, it's likely that the bug should be filed in [Pleroma-FE](https://git.pleroma.social/pleroma/pleroma-fe/issues/new) repository.
-->
### Environment
* Installation type (OTP or From Source): Source (Docker)
* Pleroma version (could be found in the "Version" tab of settings in Pleroma-FE): 2.5.52-235-g589301ce-develop
* Elixir version (`elixir -v` for from source installations, N/A for OTP): "Elixir 1.14.2 (compiled with Erlang/OTP 25)"
* Operating system: Ubuntu 20.04.6
* PostgreSQL version (`psql -V`): 12.1
### Bug description
After spinning up Pleroma using the [angristan Dockerfile repo](https://github.com/angristan/docker-pleroma), I am able to upload media, but am unable to view the same media from any web browser or app. Specifically, I will open the piece of Media in a new tab, and will get a "Too many redirects" error. Opening the dev console and looking at the network tab shows a dozen 302 redirects with the exact same url in the `location` header. "Media" includes profile pictures, site logo, or any media included in posts. **Remote** media from other Mastodon/Pleroma instances works just fine, no issues.
Chrome (Android)
![Screenshot_20230615-172220](/uploads/9aea3000830d006c72d11cf054bea69b/Screenshot_20230615-172220.png)
Fedilab
![Screenshot_20230615-172252](/uploads/6ee9b3a3eddb8db39bf315145714e71c/Screenshot_20230615-172252.png)
I see the media hit my `uploads` folder and have tried `chmod -r`ing the permissions to `777`.
![Screenshot_20230615-172624_2](/uploads/95e1800e1e02031baba807106f50ab5c/Screenshot_20230615-172624_2.png)
I've quadruple checked that my `nginx` config is exactly the same as the base config provided (except for the SSL certs, and `phoenix` upstream stanza being the IP for my docker container). I have no other issues with the install, only the uploads are the issue.https://git.pleroma.social/pleroma/pleroma/-/issues/3134Ability to use emoji from other servers2023-06-13T18:03:12ZiacoreAbility to use emoji from other servers# Behavior suggestion/Feature request
It is possible to emoji-react to a post using emoji from another server, if someone else used that emoji first.
I wonder if it is possible to create the first reaction to a post using emoji from ano...# Behavior suggestion/Feature request
It is possible to emoji-react to a post using emoji from another server, if someone else used that emoji first.
I wonder if it is possible to create the first reaction to a post using emoji from another server.https://git.pleroma.social/pleroma/pleroma/-/issues/3133Lemmy / Kbin federation issues2023-06-27T00:56:19ZCarlos SolísLemmy / Kbin federation issues### Environment
* Installation type (OTP or From Source): OTP
* Pleroma version (could be found in the "Version" tab of settings in Pleroma-FE): 2.5.2
* Elixir version (`elixir -v` for from source installations, N/A for OTP): N/A
* Oper...### Environment
* Installation type (OTP or From Source): OTP
* Pleroma version (could be found in the "Version" tab of settings in Pleroma-FE): 2.5.2
* Elixir version (`elixir -v` for from source installations, N/A for OTP): N/A
* Operating system: Debian 11 Bullseye
* PostgreSQL version (`psql -V`): 13.11
### Bug description
When following a community from Lemmy or a magazine from Kbin, Pleroma will complain about an issue with the transmogrifier, for example:
```
Jun 12 10:36:15 example.net pleroma[3586219]: 10:36:15.814 [error] Error while fetching https://lemmy.world/activities/create/32ce9250-359e-4d2d-a969-c5b0c09c4a63: {:error, {:transmogrifier, :error}}
Jun 12 10:36:16 example.net pleroma[3586219]: 10:36:16.019 [error] Error while fetching https://programming.dev/activities/like/648e688e-f9d1-4627-9494-8f5ab8a40e26: {:error, {:transmogrifier, :error}}
Jun 12 10:36:16 example.net pleroma[3586219]: 10:36:16.778 [error] Error while fetching https://lemmy.world/activities/like/bc75afd2-2b94-4669-852e-6bc4d1d98743: {:error, {:transmogrifier, :error}}
Jun 12 10:36:17 example.net pleroma[3586219]: 10:36:17.224 [error] Error while fetching https://beehaw.org/activities/like/a8b3ee2b-4112-4354-bc00-5562694a9b6c: {:error, {:transmogrifier, :error}}
```
Furthermore, attached images and website previews are not properly parsed as a result, instead showing a black image (in clients like Fedilab) or a placeholder clip image (in Soapbox):
![imagen](/uploads/48fb8875e9dd8b3596bd47aff6650733/imagen.png)https://git.pleroma.social/pleroma/pleroma/-/issues/3132precompiled version db can't imgrate to compiled db [compiled by elixir 1.15....2023-12-04T03:31:20ZKuoi Zprecompiled version db can't imgrate to compiled db [compiled by elixir 1.15.7 or later]
This is my build log. https://web.archive.org/web/20231204032554/https://build.malacology.net/api/pkg/pleroma/log/1698812320
Following is my running log, but I use what you compile, things run well, but for what I compiled, sth face pr...
This is my build log. https://web.archive.org/web/20231204032554/https://build.malacology.net/api/pkg/pleroma/log/1698812320
Following is my running log, but I use what you compile, things run well, but for what I compiled, sth face problems, is this the issue that I previously use pre-build binary, now I use compiled binary?
It seems that the db generated from OTP release can't imgrate to the binary what I compiled
Renew log can be checked here https://web.archive.org/web/20231204032515/http://fars.ee/kHDY still [debug] for days.
```
Jun 02 04:04:07 helix systemd[1]: pleroma.service: Found left-over process 497 (epmd) in control group while starting unit. Ignoring.
Jun 02 04:04:07 helix systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Jun 02 04:04:07 helix systemd[1]: Started Pleroma social network.
Jun 02 04:04:10 helix pleroma[1783]: [notice] :alarm_handler: {:set, {:system_memory_high_watermark, []}}
Jun 02 04:04:10 helix pleroma[1783]: [info] Function passed as a handler with ID "pleroma-logger" is local function.
Jun 02 04:04:10 helix pleroma[1783]: This mean that it is either anonymous function or capture of function without module specified. That may cause performance penalty when calling such handler. For more details see note in `telemetry:attach/4` documentation.
Jun 02 04:04:10 helix pleroma[1783]: https://hexdocs.pm/telemetry/telemetry.html#attach-4
Jun 02 04:04:11 helix pleroma[1783]: [debug] QUERY OK source="columns" db=7.1ms queue=12.7ms idle=0.0ms
Jun 02 04:04:11 helix pleroma[1783]: SELECT TRUE FROM "information_schema"."columns" AS c0 WHERE (c0."table_name" = 'objects') AND (c0."column_name" = 'fts_content') LIMIT 1 []
Jun 02 04:04:11 helix pleroma[1783]: [info] Function passed as a handler with ID "telemetry_web__event_handler" is local function.
Jun 02 04:04:11 helix pleroma[1783]: This mean that it is either anonymous function or capture of function without module specified. That may cause performance penalty when calling such handler. For more details see note in `telemetry:attach/4` documentation.
Jun 02 04:04:11 helix pleroma[1783]: https://hexdocs.pm/telemetry/telemetry.html#attach-4
Jun 02 04:04:11 helix pleroma[1783]: [debug] Elixir.Pleroma.Web.ActivityPub.MRF.MediaProxyWarmingPolicy is excluded from config descriptions, because does not implement `config_description/0` method.
Jun 02 04:04:11 helix pleroma[1783]: [debug] Elixir.Pleroma.Web.ActivityPub.MRF.ForceMentionsInContent is excluded from config descriptions, because does not implement `config_description/0` method.
Jun 02 04:04:11 helix pleroma[1783]: [debug] Elixir.Pleroma.Web.ActivityPub.MRF.DropPolicy is excluded from config descriptions, because does not implement `config_description/0` method.
Jun 02 04:04:11 helix pleroma[1783]: [debug] Elixir.Pleroma.Web.ActivityPub.MRF.TagPolicy is excluded from config descriptions, because does not implement `config_description/0` method.
Jun 02 04:04:11 helix pleroma[1783]: [debug] Elixir.Pleroma.Web.ActivityPub.MRF.NoPlaceholderTextPolicy is excluded from config descriptions, because does not implement `config_description/0` method.
Jun 02 04:04:11 helix pleroma[1783]: [debug] Elixir.Pleroma.Web.ActivityPub.MRF.ForceBotUnlistedPolicy is excluded from config descriptions, because does not implement `config_description/0` method.
Jun 02 04:04:11 helix pleroma[1783]: [debug] Elixir.Pleroma.Web.ActivityPub.MRF.EnsureRePrepended is excluded from config descriptions, because does not implement `config_description/0` method.
Jun 02 04:04:11 helix pleroma[1783]: [debug] Elixir.Pleroma.Web.ActivityPub.MRF.AntiLinkSpamPolicy is excluded from config descriptions, because does not implement `config_description/0` method.
Jun 02 04:04:11 helix pleroma[1783]: [debug] Elixir.Pleroma.Web.ActivityPub.MRF.AntiFollowbotPolicy is excluded from config descriptions, because does not implement `config_description/0` method.
Jun 02 04:04:11 helix pleroma[1783]: [debug] Elixir.Pleroma.Web.ActivityPub.MRF.FollowBotPolicy is excluded from config descriptions, because does not implement `config_description/0` method.
Jun 02 04:04:11 helix pleroma[1783]: [debug] Elixir.Pleroma.Web.ActivityPub.MRF.NoEmptyPolicy is excluded from config descriptions, because does not implement `config_description/0` method.
Jun 02 04:04:11 helix pleroma[1783]: [debug] Elixir.Pleroma.Web.ActivityPub.MRF.UserAllowListPolicy is excluded from config descriptions, because does not implement `config_description/0` method.
Jun 02 04:04:11 helix pleroma[1783]: [debug] Elixir.Pleroma.Web.ActivityPub.MRF.NoOpPolicy is excluded from config descriptions, because does not implement `config_description/0` method.
Jun 02 04:04:11 helix pleroma[1783]: [debug] QUERY OK source="config" db=3.2ms queue=7.1ms idle=0.0ms
Jun 02 04:04:11 helix pleroma[1783]: SELECT c0."id", c0."key", c0."group", c0."value", c0."inserted_at", c0."updated_at" FROM "config" AS c0 []
Jun 02 04:04:11 helix pleroma[1783]: [info] Function passed as a handler with ID "oban-monitor-failure" is local function.
Jun 02 04:04:11 helix pleroma[1783]: This mean that it is either anonymous function or capture of function without module specified. That may cause performance penalty when calling such handler. For more details see note in `telemetry:attach/4` documentation.
Jun 02 04:04:11 helix pleroma[1783]: https://hexdocs.pm/telemetry/telemetry.html#attach-4
Jun 02 04:04:11 helix pleroma[1783]: [info] Function passed as a handler with ID "oban-monitor-success" is local function.
Jun 02 04:04:11 helix pleroma[1783]: This mean that it is either anonymous function or capture of function without module specified. That may cause performance penalty when calling such handler. For more details see note in `telemetry:attach/4` documentation.
Jun 02 04:04:11 helix pleroma[1783]: https://hexdocs.pm/telemetry/telemetry.html#attach-4
Jun 02 04:04:11 helix pleroma[1783]: [debug] QUERY OK source="data_migrations" db=0.8ms queue=2.5ms idle=44.5ms
Jun 02 04:04:11 helix pleroma[1783]: SELECT d0."id", d0."name", d0."state", d0."feature_lock", d0."params", d0."data", d0."inserted_at", d0."updated_at" FROM "data_migrations" AS d0 WHERE (d0."name" = $1) ["populate_hashtags_table"]
Jun 02 04:04:11 helix pleroma[1783]: [debug] QUERY OK source="data_migrations" db=0.9ms queue=3.4ms idle=44.9ms
Jun 02 04:04:11 helix pleroma[1783]: SELECT d0."id", d0."name", d0."state", d0."feature_lock", d0."params", d0."data", d0."inserted_at", d0."updated_at" FROM "data_migrations" AS d0 WHERE (d0."name" = $1) ["delete_context_objects"]
Jun 02 04:04:11 helix pleroma[1783]: [debug] QUERY OK source="data_migrations" db=2.0ms queue=0.1ms idle=40.4ms
Jun 02 04:04:11 helix pleroma[1783]: SELECT d0."id", d0."name", d0."state", d0."feature_lock", d0."params", d0."data", d0."inserted_at", d0."updated_at" FROM "data_migrations" AS d0 WHERE (d0."name" = $1) ["delete_context_objects"]
Jun 02 04:04:11 helix pleroma[1783]: [debug] QUERY OK source="data_migrations" db=3.7ms idle=46.8ms
Jun 02 04:04:11 helix pleroma[1783]: SELECT d0."id", d0."name", d0."state", d0."feature_lock", d0."params", d0."data", d0."inserted_at", d0."updated_at" FROM "data_migrations" AS d0 WHERE (d0."name" = $1) ["populate_hashtags_table"]
Jun 02 04:04:11 helix pleroma[1783]: [info] Gopher server disabled
Jun 02 04:04:11 helix pleroma[1783]: [debug] QUERY OK db=0.2ms queue=0.5ms idle=40.8ms
Jun 02 04:04:11 helix pleroma[1783]: show server_version []
Jun 02 04:04:11 helix pleroma[1783]: [debug] QUERY OK source="users" db=457.1ms decode=0.1ms queue=2.8ms idle=18.8ms
Jun 02 04:04:11 helix pleroma[1783]: SELECT distinct split_part(u0."nickname", '@', 2) FROM "users" AS u0 WHERE (u0."local" != $1) [true]
Jun 02 04:04:11 helix pleroma[1783]: [debug] QUERY OK source="users" db=4.5ms queue=1.4ms idle=466.6ms
Jun 02 04:04:11 helix pleroma[1783]: SELECT sum(u0."note_count") FROM "users" AS u0 WHERE (NOT (u0."nickname" IS NULL)) AND (NOT (u0."nickname" LIKE 'internal.%')) AND (u0."local" = $1) [true]
Jun 02 04:04:11 helix pleroma[1783]: [debug] QUERY OK source="users" db=2.4ms queue=1.0ms idle=472.6ms
Jun 02 04:04:11 helix pleroma[1783]: SELECT count(u0."id") FROM "users" AS u0 WHERE (u0."is_active" = TRUE) AND (u0."local" = TRUE) AND (NOT (u0."nickname" IS NULL)) AND (NOT (u0."invisible")) []
Jun 02 04:04:13 helix pleroma[1783]: [debug] Tzdata polling for update.
Jun 02 04:04:13 helix pleroma[1783]: [debug] Tzdata polling shows the loaded tz database is up to date.
Jun 02 04:04:16 helix pleroma[1783]: [debug] QUERY OK source="users" db=6.1ms queue=3.1ms idle=1052.9ms
Jun 02 04:04:16 helix pleroma[1783]: SELECT u0."id", u0."bio", u0."raw_bio", u0."email", u0."name", u0."nickname", u0."password_hash", u0."keys", u0."public_key", u0."ap_id", u0."avatar", u0."local", u0."follower_address", u0."following_address", u0."featured_address", u0."tags", u0."last_refreshed_at", u0."last_digest_emailed_at", u0."banner", u0."background", u0."note_count", u0."follower_count", u0."following_count", u0."is_locked", u0."is_confirmed", u0."password_reset_pending", u0."is_approved", u0."registration_reason", u0."confirmation_token", u0."default_scope", u0."domain_blocks", u0."is_active", u0."no_rich_text", u0."ap_enabled", u0."is_moderator", u0."is_admin", u0."show_role", u0."uri", u0."hide_followers_count", u0."hide_follows_count", u0."hide_followers", u0."hide_follows", u0."hide_favorites", u0."email_notifications", u0."mascot", u0."emoji", u0."pleroma_settings_store", u0."fields", u0."raw_fields", u0."is_discoverable", u0."invisible", u0."allow_following_move", u0."skip_thread_containment", u0."actor_type", u0."also_known_as", u0."inbox", u0."shared_inbox", u0."accepts_chat_messages", u0."last_active_at", u0."disclose_client", u0."pinned_objects", u0."is_suggested", u0."last_status_at", u0."birthday", u0."show_birthday", u0."language", u0."notification_settings", u0."blocks", u0."mutes", u0."muted_reblogs", u0."muted_notifications", u0."subscribers", u0."multi_factor_authentication_settings", u0."inserted_at", u0."updated_at" FROM "users" AS u0 WHERE (u0."ap_id" = $1) ["https://social.malacology.net/internal/fetch"]
Jun 02 04:05:12 helix pleroma[1783]: [debug] QUERY OK source="users" db=445.1ms queue=0.1ms idle=1172.6ms
Jun 02 04:05:12 helix pleroma[1783]: SELECT distinct split_part(u0."nickname", '@', 2) FROM "users" AS u0 WHERE (u0."local" != $1) [true]
Jun 02 04:05:12 helix pleroma[1783]: [debug] QUERY OK source="users" db=0.8ms idle=943.6ms
Jun 02 04:05:12 helix pleroma[1783]: SELECT sum(u0."note_count") FROM "users" AS u0 WHERE (NOT (u0."nickname" IS NULL)) AND (NOT (u0."nickname" LIKE 'internal.%')) AND (u0."local" = $1) [true]
Jun 02 04:05:12 helix pleroma[1783]: [debug] QUERY OK source="users" db=0.8ms idle=944.5ms
Jun 02 04:05:12 helix pleroma[1783]: SELECT count(u0."id") FROM "users" AS u0 WHERE (u0."is_active" = TRUE) AND (u0."local" = TRUE) AND (NOT (u0."nickname" IS NULL)) AND (NOT (u0."invisible")) []
Jun 02 04:06:12 helix pleroma[1783]: [debug] QUERY OK source="users" db=415.7ms queue=0.1ms idle=1340.5ms
Jun 02 04:06:12 helix pleroma[1783]: SELECT distinct split_part(u0."nickname", '@', 2) FROM "users" AS u0 WHERE (u0."local" != $1) [true]
Jun 02 04:06:12 helix pleroma[1783]: [debug] QUERY OK source="users" db=2.8ms idle=1362.5ms
Jun 02 04:06:12 helix pleroma[1783]: SELECT sum(u0."note_count") FROM "users" AS u0 WHERE (NOT (u0."nickname" IS NULL)) AND (NOT (u0."nickname" LIKE 'internal.%')) AND (u0."local" = $1) [true]
Jun 02 04:06:12 helix pleroma[1783]: [debug] QUERY OK source="users" db=2.3ms idle=1365.5ms
Jun 02 04:06:12 helix pleroma[1783]: SELECT count(u0."id") FROM "users" AS u0 WHERE (u0."is_active" = TRUE) AND (u0."local" = TRUE) AND (NOT (u0."nickname" IS NULL)) AND (NOT (u0."invisible")) []
```
my nginx here
```
proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g
inactive=720m use_temp_path=off;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name MY_DOMAIN;
include /etc/nginx/custom/ssl.conf;
access_log /var/log/nginx/access.log;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
location / {
# if you do not want remote frontends to be able to access your Pleroma backend
# server, remove these lines.
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
if ($request_method = OPTIONS) {
return 204;
}
# stop removing lines here.
add_header X-XSS-Protection "1; mode=block";
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy same-origin;
add_header X-Download-Options noopen;
# Uncomment this only after you get HTTPS working.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_pass http://localhost:4000;
client_max_body_size 16m;
}
location /proxy {
proxy_cache pleroma_media_cache;
proxy_cache_lock on;
proxy_ignore_client_abort on;
proxy_pass http://localhost:4000;
}
}
```
my ufw rule, as previously work well, I am sure there is no problem
```
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
4000/tcp ALLOW Anywhere
```
my nginx error is here
```
2023/12/04 10:56:06 [error] 70603#70603: *13 connect() failed (111: Connection refused) while connecting to upstream, client: 172.69.195.81, server: social.malacology.net, request: "GET / HTTP/2.0", upstream: "http://[::1]:4000/", host: "social.malacology.net"
2023/12/04 10:56:06 [error] 70603#70603: *13 connect() failed (111: Connection refused) while connecting to upstream, client: 172.69.195.81, server: social.malacology.net, request: "GET / HTTP/2.0", upstream: "http://127.0.0.1:4000/", host: "social.malacology.net"
2023/12/04 10:56:07 [error] 70603#70603: *18 no live upstreams while connecting to upstream, client: 172.69.194.3, server: social.malacology.net, request: "GET /favicon.ico HTTP/2.0", upstream: "http://localhost/favicon.ico", host: "social.malacology.net", referrer: "https://social.malacology.net/"
2023/12/04 10:56:27 [error] 70603#70603: *33 connect() failed (111: Connection refused) while connecting to upstream, client: 172.69.60.151, server: social.malacology.net, request: "POST /inbox HTTP/2.0", upstream: "http://127.0.0.1:4000/inbox", host: "social.malacology.net"
2023/12/04 10:56:27 [error] 70603#70603: *33 connect() failed (111: Connection refused) while connecting to upstream, client: 172.69.60.151, server: social.malacology.net, request: "POST /inbox HTTP/2.0", upstream: "http://[::1]:4000/inbox", host: "social.malacology.net"
2023/12/04 10:56:47 [error] 70603#70603: *13 connect() failed (111: Connection refused) while connecting to upstream, client: 172.69.195.81, server: social.malacology.net, request: "GET / HTTP/2.0", upstream: "http://127.0.0.1:4000/", host: "social.malacology.net"
2023/12/04 10:56:47 [error] 70603#70603: *13 connect() failed (111: Connection refused) while connecting to upstream, client: 172.69.195.81, server: social.malacology.net, request: "GET / HTTP/2.0", upstream: "http://[::1]:4000/", host: "social.malacology.net"
2023/12/04 10:56:48 [error] 70603#70603: *18 no live upstreams while connecting to upstream, client: 172.69.194.3, server: social.malacology.net, request: "GET /favicon.ico HTTP/2.0", upstream: "http://localhost/favicon.ico", host: "social.malacology.net", referrer: "https://social.malacology.net/"
2023/12/04 10:56:53 [error] 70603#70603: *50 no live upstreams while connecting to upstream, client: 172.70.123.111, server: social.malacology.net, request: "POST /inbox HTTP/2.0", upstream: "http://localhost/inbox", host: "social.malacology.net"
```https://git.pleroma.social/pleroma/pleroma/-/issues/3131Unable to close/resolve report if the actor's account is deactivated2023-07-02T21:27:16ZYour New SJW WaifuUnable to close/resolve report if the actor's account is deactivated<!--
### Precheck
* For support use https://git.pleroma.social/pleroma/pleroma-support or [community channels](https://git.pleroma.social/pleroma/pleroma#community-channels).
* Please do a quick search to ensure no similar bug has been ...<!--
### Precheck
* For support use https://git.pleroma.social/pleroma/pleroma-support or [community channels](https://git.pleroma.social/pleroma/pleroma#community-channels).
* Please do a quick search to ensure no similar bug has been reported before. If the bug has not been addressed after 2 weeks, it's fine to bump it.
* Try to ensure that the bug is actually related to the Pleroma backend. For example, if a bug happens in Pleroma-FE but not in Mastodon-FE or mobile clients, it's likely that the bug should be filed in [Pleroma-FE](https://git.pleroma.social/pleroma/pleroma-fe/issues/new) repository.
-->
### Environment
* Installation type (OTP or From Source):
- [ ] The virgin OTP install
- [X] The chad source install
* Pleroma version (could be found in the "Version" tab of settings in Pleroma-FE): 31ec5cd3
* Elixir version (`elixir -v` for from source installations, N/A for OTP):
```
Erlang/OTP 25 [erts-13.0.4] [source] [64-bit] [smp:24:24] [ds:24:24:10] [async-threads:1] [jit:ns]
Elixir 1.13.4 (compiled with Erlang/OTP 25)
```
* Operating system: Ubuntu Pro 22.04
* PostgreSQL version (`psql -V`): 15.3
### Bug description
I had a report from a local user about a remote user. The local user had deactivated their account shortly after making the report.
I could not mark the report closed or resolved until I re-activated the account that made the report. At which time I was able to mark the report resolved.
Interesting the API was returning a 404 when trying to change the state of a report with the actor's account deactivated.https://git.pleroma.social/pleroma/pleroma/-/issues/3129Purge or prevent OAuth tokens with no user id2023-05-29T09:44:44ZDuponinPurge or prevent OAuth tokens with no user idFollowing recent security update, I deleted all OAuth tokens but I noticed there was a huge amount (a bit more than 300k) tokens where `user_id` is `NULL`.
In comparison, I had slightly more than 3k valid OAuth tokens (with `user_id` set...Following recent security update, I deleted all OAuth tokens but I noticed there was a huge amount (a bit more than 300k) tokens where `user_id` is `NULL`.
In comparison, I had slightly more than 3k valid OAuth tokens (with `user_id` set).
You can find on your instance doing the following SQL `select count(id) from oauth_tokens where user_id is null;`.
I’ve yet to understand why these tokens without `user_id` exist.
@lanodan told me those exist because of Mastodon applications that don’t work with our MastoAPI implementation (citation needed).
We should prevent those to exist ideally in a first place, but in case we can’t, having a purge would be good.
I’m not sure if this is a security issue, but still concerning nonetheless.https://git.pleroma.social/pleroma/pleroma/-/issues/3128Idea: add a Hashcash or some other proof-of-work to the register page2023-06-22T03:18:50ZZeroIdea: add a Hashcash or some other proof-of-work to the register pageI had this idea and only just learned about Hashcash (https://en.wikipedia.org/wiki/Hashcash).
I think this (along with a better captcha) would be good to slow down things like skids mass creating accounts, which happened recently.
Th...I had this idea and only just learned about Hashcash (https://en.wikipedia.org/wiki/Hashcash).
I think this (along with a better captcha) would be good to slow down things like skids mass creating accounts, which happened recently.
There's an existing Elixir library: https://github.com/danj3/elixir-hashcash
And probably a lot of JS implementation like https://github.com/007/hashcash-js
I found this example of it being used for a sign up page, it's Rails, but it could be a good model for an implementation: https://github.com/BaseSecrete/active_hashcash
Aside from that, maybe some documentation on how to rate limit the login page properly on nginx and such would be helpful.
Just throwing some ideas out there, I don't think I'm competent enough to implement it, though.https://git.pleroma.social/pleroma/pleroma/-/issues/3127Hashtag links don't work in Mona app2023-06-22T03:02:34ZfeldHashtag links don't work in Mona appAllegedly our hashtag links need a class of "mention" applied to them, and then hashtag timeline thing view thing in the app will work correctly like it does for Mastodon?Allegedly our hashtag links need a class of "mention" applied to them, and then hashtag timeline thing view thing in the app will work correctly like it does for Mastodon?https://git.pleroma.social/pleroma/pleroma/-/issues/3126Confirmed user javascript execution bug2023-05-29T08:48:04ZlainConfirmed user javascript execution bugPoa.st has apparently lost some user token to a rather sophisticated attack.
Apparently, the user was able to upload javascript (nothing unusual here) and then executive it via a nostr bridge. I don't understand how this is supposed to...Poa.st has apparently lost some user token to a rather sophisticated attack.
Apparently, the user was able to upload javascript (nothing unusual here) and then executive it via a nostr bridge. I don't understand how this is supposed to work yet.
The poa.st admin has written about it, I'll quote the full post here:
https://poa.st/notice/AW21NSFdXhFPb2Zzai
> on may 19, 2023 an unknown user registered the domain name fedirelay.xyz and setup a fake mostr (nostr) relay to listen for requests on the fediverse.
>
> on may 20, 2023 at 20:52 (utc) a user uploaded the attached document to poast. it was originally an obfuscated javascript file (unobfuscated and attached it here, renamed to .txt so you can view it in any editor).
>
> what this javascript file does is take the viewers oauth token, encode it to make it look like a nostr pubkey and then forced the clandestine mostr relay to look up that user locally giving that server the encoded token all while appearing to be a legitimate mostr (nostr) bridge
>
> i have taken steps to completely limit access to the admin api and corrected any CSP or other issues that could possibly have contributed to this, however most of you (instance owners) are still vulnerable to it. the default pleroma install serves media files on your root domain as a local folder (i.e. yourdomain.xyz/media) and the default CSP for any site is to allow executing scripts via the root domain. in order to prevent this you should take steps to either move your media from yourdomain.xyz/media to media.yourdomain.xyz (or any subdomain outside of your root domain) or perhaps by limiting the CSP for that subdirectory via nginx configuration.
>
> if you are an instance owner, the obfuscated file hash is `b2977f2d97f598d2ebd6dcf37afd9047b5da2b6dc95a7b2824fb111c906fb117` so you can search yourdomain.xyz/media/b2977f2d97f598d2ebd6dcf37afd9047b5da2b6dc95a7b2824fb111c906fb117.js and see if you have it on your server.
>
> no user password or anything beyond email:user and your chats and media associated with them have been archived and everybody's tokens were dropped forcing you to all relog on your accounts. this is to ensure that if any of you had tokens exposed by viewing this JavaScript, they are no longer functional on poast.
>
> sorry to anybody i let down but i could never have foreseen this level of sophistication and i would not have ever expected it. now that we are aware of it, we will be more diligent in the future. thanks for being here with us still friends
> 4ed28ef4fa5e18bfa5c1f7…7e2fcc6d0cdb0215f15.txt
[4ed28ef4fa5e18bfa5c1f75a5c1cc759f7b718c0b600e7e2fcc6d0cdb0215f15.txt](/uploads/652ff240e96c1c9913c5eff75dba2778/4ed28ef4fa5e18bfa5c1f75a5c1cc759f7b718c0b600e7e2fcc6d0cdb0215f15.txt)https://git.pleroma.social/pleroma/pleroma/-/issues/3123cannot post status on new instance2023-05-25T16:39:00Zjeffcannot post status on new instance
### Environment
* Installation type (OTP or From Source): source (develop)
* Pleroma version (could be found in the "Version" tab of settings in Pleroma-FE):
```
Backend version
2.5.51-156-g5433742f-develop
Frontend version
c730c9...
### Environment
* Installation type (OTP or From Source): source (develop)
* Pleroma version (could be found in the "Version" tab of settings in Pleroma-FE):
```
Backend version
2.5.51-156-g5433742f-develop
Frontend version
c730c9b6
```
* Elixir version (`elixir -v` for from source installations, N/A for OTP):
```
Erlang/OTP 25 [erts-13.1.5] [source] [64-bit] [smp:3:3] [ds:3:3:10] [async-threads:1] [jit:ns]
Elixir 1.14.0 (compiled with Erlang/OTP 24)
```
* Operating system: debian bookworm
* PostgreSQL version (`psql -V`):
```
psql (PostgreSQL) 15.3 (Debian 15.3-1.pgdg120+1)
```
### Bug description
try to make new post, get a http 422 from the request with a giant pile of json as the error message.
![Screenshot_20230525_122231](/uploads/09f185f4d74f77d1293d4778f35c56cb/Screenshot_20230525_122231.webp)https://git.pleroma.social/pleroma/pleroma/-/issues/3122Self-deleting account doesn't purge all its statuses2023-05-27T03:45:26ZtusooaSelf-deleting account doesn't purge all its statuses0. Delete one's own account using the delete account API
1. Their posts are still retained, and still exposed in the context API. This contradicts to user expectation that deleting their account will also purge all of its posts, at least...0. Delete one's own account using the delete account API
1. Their posts are still retained, and still exposed in the context API. This contradicts to user expectation that deleting their account will also purge all of its posts, at least from the point of view of the local server.https://git.pleroma.social/pleroma/pleroma/-/issues/3120Add support for OpenTelemetry2023-05-09T19:10:56ZDuponinAdd support for OpenTelemetry[OpenTelemetry](https://opentelemetry.io/) is a framework to add app telemetry, giving insights on what’s going on *in* the application.
This could be greatly useful to understand some weird behaviours, rather than looking at a blackbox ...[OpenTelemetry](https://opentelemetry.io/) is a framework to add app telemetry, giving insights on what’s going on *in* the application.
This could be greatly useful to understand some weird behaviours, rather than looking at a blackbox and guessing what might have happened.
Most instances won’t benefit, and won’t have any tool to ingest that data; it should be disabled by default.
However, it could be useful for big/busy federation instances.
Related topic are Applicatiom Performance Monitors (APM), this topic got discussed in context of Sentry, see https://git.pleroma.social/pleroma/pleroma/-/issues/574.https://git.pleroma.social/pleroma/pleroma/-/issues/3119Send a 413 when a user bio goes beyond character limit2023-06-27T18:49:45ZDuponinSend a 413 when a user bio goes beyond character limitWhen a user updates their bio out of character limit boundary, backend is sending a 403 error code and `{"error":"Invalid request"}`.
The correct error code is 413 "Payload Too Large" and answer should be `{"error":"Payload Too Large"}`....When a user updates their bio out of character limit boundary, backend is sending a 403 error code and `{"error":"Invalid request"}`.
The correct error code is 413 "Payload Too Large" and answer should be `{"error":"Payload Too Large"}`.
Relates to #3053.tusooatusooahttps://git.pleroma.social/pleroma/pleroma/-/issues/3118Reply count is out of sync2023-05-04T12:27:51ZsevenReply count is out of sync![screenshot](/uploads/e397a7906ce4ca7ba7366e577f55d69a/screenshot.png)
Steps to reproduce
1. Go to https://fedi.absturztau.be/notice/9q0Awcpm0ewDzZVdtw
2. Observe that reply count of the status is 1 but the status has 5 replies actually.![screenshot](/uploads/e397a7906ce4ca7ba7366e577f55d69a/screenshot.png)
Steps to reproduce
1. Go to https://fedi.absturztau.be/notice/9q0Awcpm0ewDzZVdtw
2. Observe that reply count of the status is 1 but the status has 5 replies actually.https://git.pleroma.social/pleroma/pleroma/-/issues/3117Dangling follow request after quarantining some site2024-01-07T13:34:59ZtusooaDangling follow request after quarantining some site0. Quarantine misskey.io
1. Deny a follow request from that site
2. Failed0. Quarantine misskey.io
1. Deny a follow request from that site
2. Failedhttps://git.pleroma.social/pleroma/pleroma/-/issues/3115Allow user to resend activation email.2023-04-17T12:45:28ZGhost UserAllow user to resend activation email.Activation emails can get lost, resulting in a user not having access to their account and a good username being taken needlessly.
I propose the following improvements:
* [ ] Ability on Pleroma-FE for a user to have their activation e...Activation emails can get lost, resulting in a user not having access to their account and a good username being taken needlessly.
I propose the following improvements:
* [ ] Ability on Pleroma-FE for a user to have their activation email re-sent.https://git.pleroma.social/pleroma/pleroma/-/issues/3114`content-disposition` HTTP header from uploaded media lacks `disposition-type...2023-04-26T15:39:22ZKagami Rosylight`content-disposition` HTTP header from uploaded media lacks `disposition-type` field<!--
### Precheck
* For support use https://git.pleroma.social/pleroma/pleroma-support or [community channels](https://git.pleroma.social/pleroma/pleroma#community-channels).
* Please do a quick search to ensure no similar bug has been ...<!--
### Precheck
* For support use https://git.pleroma.social/pleroma/pleroma-support or [community channels](https://git.pleroma.social/pleroma/pleroma#community-channels).
* Please do a quick search to ensure no similar bug has been reported before. If the bug has not been addressed after 2 weeks, it's fine to bump it.
* Try to ensure that the bug is actually related to the Pleroma backend. For example, if a bug happens in Pleroma-FE but not in Mastodon-FE or mobile clients, it's likely that the bug should be filed in [Pleroma-FE](https://git.pleroma.social/pleroma/pleroma-fe/issues/new) repository.
-->
### Bug description
It seems Pleroma sets `content-disposition` field in invalid way:
https://git.pleroma.social/pleroma/pleroma/-/blob/e853cfe7c3438650fd0f95bfe69e2bccfe12390c/lib/pleroma/web/plugs/uploaded_media.ex#L40
The format needs to start with `inline;` or `attachment;` but this line lacks that and caused issue on recent versions of Misskey. (https://github.com/misskey-dev/misskey/issues/10626)