Merge branch 'stable' into develop
This commit is contained in:
Dennis Schubert
commit
aa873199f8
2 changed files with 7 additions and 1 deletions
|
|
@ -147,6 +147,12 @@ Contributions are very welcome, the hard work is done!
|
|||
## Features
|
||||
* Added the footer to conversation pages [#6710](https://github.com/diaspora/diaspora/pull/6710)
|
||||
|
||||
# 0.5.7.1
|
||||
|
||||
This security release disables post fetching for relayables. Due to an insecure implementation, fetching of root posts for relayables could allow an attacker to distribute malicious/spoofed/modified posts for any person.
|
||||
|
||||
Disabling the fetching will make the current federation a bit less reliable, but for a hotfix, this is the best solution. We will re-enable the fetching in 0.6.0.0 when we moved out the federation into its own library and are able to implement further validation during fetches.
|
||||
|
||||
# 0.5.7.0
|
||||
|
||||
## Refactor
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ module Federated
|
|||
end
|
||||
|
||||
def fetch_parent guid
|
||||
Diaspora::Fetcher::Single.find_or_fetch_from_remote guid, diaspora_handle
|
||||
raise Diaspora::PostNotFetchable
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in a new issue