-
v2.7.131487e5b · ·
### Changed - Accept `application/activity+json` for requests to `/.well-known/nodeinfo` ### Fixed - Truncate remote user fields, avoids them getting rejected - Improve the `FollowValidator` to successfully incoming activities with an errant `cc` field. - Resolved edge case where the API can report you are following a user but the relationship is not fully established. - The Swoosh email adapter for Mailgun was missing a new dependency on `:multipart` - Fix Mastodon WebSocket authentication
-
v2.6.2fb4aa9f7 · ·
### Security - MRF StealEmojiPolicy: Sanitize shortcodes (thanks to Hazel K for the report
-
v2.5.5f966abe4 · ·
Prevents users from accessing media of other users by creating a status with reused attachment ID
-
v2.5.41f4be2b3 · ·
Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
-
v2.5.3ff2f3862 · ·
### Security - Emoji pack loader sanitizes pack names - Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories
-
v2.5.1fd46f83d · ·
Release 2.5.1 Added - Allow customizing instance languages Fixed - Security: uploading HTTP endpoint can no longer create directories in the upload dir (internal APIs, like backup, still can do it.) - ~ character in urls in Markdown posts are handled properly - Exiftool upload filter will now ignore SVG files - Fix `block_from_stranger` setting - Fix rel="me" - Docker images will now run properly - Fix inproper content being cached in report content - Notification filter on object content will not operate on the ones that inherently have no content - ZWNJ and double dots in links are parsed properly for Plain-text posts - OTP releases will work on systems with a newer libcrypt - Errors when running Exiftool.ReadDescription filter will not be filled into the image description
-
v2.4.576bdb01c · ·
- Image `class` attributes not being scrubbed, allowing to exploit frontend special classes [!3792](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3792) - Delete report notifs when demoting from superuser [!3642](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3642) - Validate `mediaType` only by it's format rather than using a list [!3597](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3597) - Pagination: Make mutes and blocks lists behave the same as other lists [!3693](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3693) - Compatibility with Elixir 1.14 [!3740](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3740) - Frontend installer: FediFE build URL [!3736](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3736) - Streaming: Don't stream ChatMessage into the home timeline [!3738](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3738) - Streaming: Stream local-only posts in the local timeline [!3738](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3738) - Signatures: Fix `keyId` lookup for GoToSocial [!3725](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3725) - Validator: Fix `replies` handling for GoToSocial [!3725](https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3725)