nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'hotfix/0.5.7.1'

Browse source
This commit is contained in:
Dennis Schubert 2016-03-08 22:53:49 +01:00
commit 9a8cecd89c
3 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
Changelog.md
View file

@ -1,3 +1,9 @@
# 0.5.7.1
This security release disables post fetching for relayables. Due to an insecure implementation, fetching of root posts for relayables could allow an attacker to distribute malicious/spoofed/modified posts for any person.
Disabling the fetching will make the current federation a bit less reliable, but for a hotfix, this is the best solution. We will re-enable the fetching in 0.6.0.0 when we moved out the federation into its own library and are able to implement further validation during fetches.
# 0.5.7.0 # 0.5.7.0
## Refactor ## Refactor

2
config/defaults.yml
View file

@ -4,7 +4,7 @@
defaults: defaults:
version: version:
number: "0.5.7.0" # Do not touch unless doing a release, do not backport the version number that's in master number: "0.5.7.1" # Do not touch unless doing a release, do not backport the version number that's in master
heroku: false heroku: false
environment: environment:
url: "http://localhost:3000/" url: "http://localhost:3000/"

2
lib/federated/relayable.rb
View file

@ -40,7 +40,7 @@ module Federated
end end
def fetch_parent guid def fetch_parent guid
Diaspora::Fetcher::Single.find_or_fetch_from_remote guid, diaspora_handle raise Diaspora::PostNotFetchable
end end
end end
end end