## unreleased-patch - ???
+### Security
+- Fix metadata leak for accounts and statuses on private instances
+
+### Changed
+
+- **Breaking:** The metadata providers RelMe and Feed are no longer configurable. RelMe should always be activated and Feed only provides a <link> header tag for the actual RSS/Atom feed when the instance is public.
+
+### Added
+
+- Rich media failure tracking (along with `:failure_backoff` option)
+
### Fixed
- Mastodon API: Search parameter `following` now correctly returns the followings rather than the followers
config :pleroma, Pleroma.Web.Metadata,
providers: [
Pleroma.Web.Metadata.Providers.OpenGraph,
- Pleroma.Web.Metadata.Providers.TwitterCard,
- Pleroma.Web.Metadata.Providers.RelMe,
- Pleroma.Web.Metadata.Providers.Feed
+ Pleroma.Web.Metadata.Providers.TwitterCard
],
unfurl_nsfw: false
* `providers`: a list of metadata providers to enable. Providers available:
* `Pleroma.Web.Metadata.Providers.OpenGraph`
* `Pleroma.Web.Metadata.Providers.TwitterCard`
- * `Pleroma.Web.Metadata.Providers.RelMe` - add links from user bio with rel=me into the `<header>` as `<link rel=me>`.
- * `Pleroma.Web.Metadata.Providers.Feed` - add a link to a user's Atom feed into the `<header>` as `<link rel=alternate>`.
* `unfurl_nsfw`: If set to `true` nsfw attachments will be shown in previews.
### :rich_media (consumer)
alias Pleroma.Web.ActivityPub.ActivityPub
alias Pleroma.Web.Feed.FeedView
- def feed(conn, %{"tag" => raw_tag} = params) do
+ def feed(conn, params) do
+ unless Pleroma.Config.restrict_unauthenticated_access?(:activities, :local) do
+ render_feed(conn, params)
+ else
+ render_error(conn, :not_found, "Not found")
+ end
+ end
+
+ def render_feed(conn, %{"tag" => raw_tag} = params) do
{format, tag} = parse_tag(raw_tag)
activities =
end
end
- def feed(conn, %{"nickname" => nickname} = params) do
+ def feed(conn, params) do
+ unless Pleroma.Config.restrict_unauthenticated_access?(:profiles, :local) do
+ render_feed(conn, params)
+ else
+ errors(conn, {:error, :not_found})
+ end
+ end
+
+ def render_feed(conn, %{"nickname" => nickname} = params) do
format = get_format(conn)
format =
def build_tags(params) do
providers = [
+ Pleroma.Web.Metadata.Providers.RelMe,
Pleroma.Web.Metadata.Providers.RestrictIndexing
- | Pleroma.Config.get([__MODULE__, :providers], [])
+ | activated_providers()
]
Enum.reduce(providers, "", fn parser, acc ->
def activity_nsfw?(_) do
false
end
+
+ defp activated_providers do
+ unless Pleroma.Config.restrict_unauthenticated_access?(:activities, :local) do
+ [Pleroma.Web.Metadata.Providers.Feed | Pleroma.Config.get([__MODULE__, :providers], [])]
+ else
+ []
+ end
+ end
end
'yeah #PleromaArt'
]
end
+
+ describe "private instance" do
+ setup do: clear_config([:instance, :public])
+
+ test "returns 404 for tags feed", %{conn: conn} do
+ Config.put([:instance, :public], false)
+
+ conn
+ |> put_req_header("accept", "application/rss+xml")
+ |> get(tag_feed_path(conn, :feed, "pleromaart"))
+ |> response(404)
+ end
+ end
end
assert response == ~S({"error":"Not found"})
end
end
+
+ describe "private instance" do
+ setup do: clear_config([:instance, :public])
+
+ test "returns 404 for user feed", %{conn: conn} do
+ Config.put([:instance, :public], false)
+ user = insert(:user)
+
+ {:ok, _} = CommonAPI.post(user, %{status: "test"})
+
+ assert conn
+ |> put_req_header("accept", "application/atom+xml")
+ |> get(user_feed_path(conn, :feed, user.nickname))
+ |> response(404)
+ end
+ end
end
"<meta content=\"noindex, noarchive\" name=\"robots\">"
end
end
+
+ describe "no metadata for private instances" do
+ test "for local user" do
+ clear_config([:instance, :public], false)
+ user = insert(:user, bio: "This is my secret fedi account bio")
+
+ assert "" = Pleroma.Web.Metadata.build_tags(%{user: user})
+ end
+ end
end
projects / akkoma / commitdiff