changelog: entries for timeline DoS fixes

author rinpatch <rinpatch@sdf.org>

Fri, 28 Feb 2020 14:59:16 +0000 (17:59 +0300)

committer rinpatch <rinpatch@sdf.org>

Sat, 29 Feb 2020 22:13:08 +0000 (01:13 +0300)
author rinpatch <rinpatch@sdf.org>
Fri, 28 Feb 2020 14:59:16 +0000 (17:59 +0300)
committer rinpatch <rinpatch@sdf.org>
Sat, 29 Feb 2020 22:13:08 +0000 (01:13 +0300)
diff --git a/CHANGELOG.md b/CHANGELOG.md

index 12f7e8fab9e66d485c1677454a5232297d123986..37df345ede5ad12372fe7f5dab7e9d7f459be8de 100644 (file)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file.
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
  
  ## [Unreleased]
+### Security
+- Mastodon API: Fix being able to request enourmous amount of statuses in timelines leading to DoS. Now limited to 40 per request.
+
  ### Removed
  - **Breaking**: Removed 1.0+ deprecated configurations `Pleroma.Upload, :strip_exif` and `:instance, :dedupe_media`
  - **Breaking**: OStatus protocol support
@@ -56,6 +59,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
  - Admin API: Render whole status in grouped reports
  - Mastodon API: User timelines will now respect blocks, unless you are getting the user timeline of somebody you blocked (which would be empty otherwise).
  - Mastodon API: Favoriting / Repeating a post multiple times will now return the identical response every time. Before, executing that action twice would return an error ("already favorited") on the second try.
+- Mastodon API: Limit timeline requests to 3 per timeline per 500ms per user/ip by default.
  </details>
  
  ### Added
author	rinpatch <rinpatch@sdf.org>
	Fri, 28 Feb 2020 14:59:16 +0000 (17:59 +0300)
committer	rinpatch <rinpatch@sdf.org>
	Sat, 29 Feb 2020 22:13:08 +0000 (01:13 +0300)