From: lain Date: Mon, 2 Mar 2020 17:00:04 +0000 (+0000) Subject: Merge branch 'prepared-statements-settings' into 'develop' X-Git-Url: https://git.squeep.com/?a=commitdiff_plain;h=4c02e049358441529c54a72cd11f1c81ee897d49;hp=-c;p=akkoma Merge branch 'prepared-statements-settings' into 'develop' Prepared statements settings See merge request pleroma/pleroma!2238 --- 4c02e049358441529c54a72cd11f1c81ee897d49 diff --combined CHANGELOG.md index 37df345ed,ea72de896..c8f3794a3 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@@ -4,9 -4,6 +4,9 @@@ All notable changes to this project wil The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [Unreleased] +### Security +- Mastodon API: Fix being able to request enourmous amount of statuses in timelines leading to DoS. Now limited to 40 per request. + ### Removed - **Breaking**: Removed 1.0+ deprecated configurations `Pleroma.Upload, :strip_exif` and `:instance, :dedupe_media` - **Breaking**: OStatus protocol support @@@ -38,6 -35,7 +38,7 @@@ - Rate limiter is now disabled for localhost/socket (unless remoteip plug is enabled) - Logger: default log level changed from `warn` to `info`. - Config mix task `migrate_to_db` truncates `config` table before migrating the config file. + - Default to `prepare: :unnamed` in the database configuration.
API Changes @@@ -59,7 -57,6 +60,7 @@@ - Admin API: Render whole status in grouped reports - Mastodon API: User timelines will now respect blocks, unless you are getting the user timeline of somebody you blocked (which would be empty otherwise). - Mastodon API: Favoriting / Repeating a post multiple times will now return the identical response every time. Before, executing that action twice would return an error ("already favorited") on the second try. +- Mastodon API: Limit timeline requests to 3 per timeline per 500ms per user/ip by default.
### Added @@@ -108,7 -105,6 +109,7 @@@ - Configuration: `feed` option for user atom feed. - Pleroma API: Add Emoji reactions - Admin API: Add `/api/pleroma/admin/instances/:instance/statuses` - lists all statuses from a given instance +- Admin API: Add `/api/pleroma/admin/users/:nickname/statuses` - lists all statuses from a given user - Admin API: `PATCH /api/pleroma/users/confirm_email` to confirm email for multiple users, `PATCH /api/pleroma/users/resend_confirmation_email` to resend confirmation email for multiple users - ActivityPub: Configurable `type` field of the actors. - Mastodon API: `/api/v1/accounts/:id` has `source/pleroma/actor_type` field. @@@ -126,7 -122,6 +127,7 @@@ - Pleroma API: Add reactions for a single emoji. - ActivityPub: `[:activitypub, :note_replies_output_limit]` setting sets the number of note self-replies to output on outgoing federation. - Admin API: `GET /api/pleroma/admin/stats` to get status count by visibility scope +- Admin API: `GET /api/pleroma/admin/statuses` - list all statuses (accepts `godmode` and `local_only`) ### Fixed diff --combined config/config.exs index 9c4eb70a3,2b7a761ea..2cd741213 --- a/config/config.exs +++ b/config/config.exs @@@ -402,8 -402,6 +402,8 @@@ config :phoenix, :format_encoders, json config :phoenix, :json_library, Jason +config :phoenix, :filter_parameters, ["password", "confirm"] + config :pleroma, :gopher, enabled: false, ip: {0, 0, 0, 0}, @@@ -599,7 -597,6 +599,7 @@@ config :http_signatures config :pleroma, :rate_limit, authentication: {60_000, 15}, + timeline: {500, 3}, search: [{1000, 10}, {1000, 30}], app_account_creation: {1_800_000, 25}, relations_actions: {10_000, 10}, @@@ -624,7 -621,9 +624,9 @@@ config :pleroma, :modules, runtime_dir config :pleroma, configurable_from_database: false - config :pleroma, Pleroma.Repo, parameters: [gin_fuzzy_search_limit: "500"] + config :pleroma, Pleroma.Repo, + parameters: [gin_fuzzy_search_limit: "500"], + prepare: :unnamed # Import environment specific config. This must remain at the bottom # of this file so it overrides the configuration defined above.