Notices where this attachment appears
-
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 02:54:58 JST 
Alex Gleason
Pleroma / Akkoma / Rebased need to be patched, but here’s how you can secure your site without any code changes:
yoursite.com/media -> media.yoursite.com
yoursite.com/proxy -> proxy.yoursite.comTo do this, add the following configuration to your site:
config :pleroma, Pleroma.Upload, base_url: "https://media.yoursite.com" config :pleroma, :media_proxy, base_url: "https://proxy.yoursite.com"You will need to add DNS records for the subdomains. For media, it’s recommended to use an S3 bucket (or equivalent). For the proxy, you can simply point the DNS to the same server, and edit your Nginx file. A sample Nginx file is here: https://termbin.com/tj7q You’re on your own setting up letsencrypt, etc.
Here’s what does NOT work:
A CSP one-liner in Nginx. That’s not how CSP works. CSP affects the page it was loaded on, not other resources. This is straight up misinformation.
Disabling the media proxy on its own. The media proxy does appear to be vulnerable, but it cannot be the only action you take.
076萌SNS is a social network, courtesy of 076. It runs on GNU social, version 2.0.2-beta0, available under the GNU Affero General Public License.
All 076萌SNS content and data are available under the Creative Commons Attribution 3.0 license.