Conversation
Notices
-
:btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Monday, 29-May-2023 04:11:18 JST :btrfly: anime graf mays 🛰️🪐 for those wondering, here is the complete exploit by user "Fallout76" (ironic) attached as a txt file in a zip because soapbox FE sanitizes for this. this works on pleromaFE (not soapbox) maybe other FEs
the file has been deleted (was several days ago) and i have disabled pleroma FE for now until this vulnerability has been dealt with- Token repeated this.
-
:btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Monday, 29-May-2023 04:11:18 JST :btrfly: anime graf mays 🛰️🪐 just FYI matrix-synapse is also vulnerable to this. if you run a matrix-synapse homeserver here are instructions to fix this vulnerability in your homeserver
1. Upgrade, then find SynapseEnsure that you are running 1.82.0 or higher. This patch may work on older versions of Synapse but if it breaks something then it’s up to you to fix it.
To apply this hotfix, you will need to be able to modify synapse source code. You should be able to find synapse by using find and searching for synapse filenames.
2. Then Backup synapse/media/_base.pyRun cp synapse/media/_base{,.orig}.py to create a backup of _base.py so this change can be rolled back. You may need to update synapse before applying this patch!
3. Apply patchSave the following as _base.diff
52a53,58 > HOTSERVE_CONTENT_TYPES = [ > "audio/", > "video/", > "image/" > ] > 153a160,166 > # Only hotserve "safe" mimetypes, force download everything else > disposition_type = "attachment" > for mime in HOTSERVE_CONTENT_TYPES: > if media_type.lower().startswith(mime): > disposition_type = "inline" > break > 176c189 < disposition = "inline; filename=%s" % (upload_name,) --- > disposition = "%s; filename=%s" % (disposition_type, upload_name,) 178c191 < disposition = "inline; filename*=utf-8''%s" % (_quote(upload_name),) --- > disposition = "%s; filename*=utf-8''%s" % (disposition_type, _quote(upload_name),)In synapse/media, run the following:
$ patch patch _base.py _base.diff4. Check resulting hashesThe hashes of _base.py should be the following.
$ sha256sum _base{.orig,}.py d6419fc1c1c4f55ccfd6b9a1514a874eed09650aef1c3ef461e96b8f72cbbd68 _base.orig.py 72d2dec451c1b0b147d15013e7147c3335a98d20eff05cfbf1984e6215ca7415 _base.pyToken likes this. -
cyberpunklord420 (ehhh@varishangout.net)'s status on Wednesday, 31-May-2023 18:11:58 JST cyberpunklord420 Someone should also mention this to the devs so that they can patch it to future versions.
@matrixmatrix07012 :thotpatrol: :cunnyEmpire: likes this. -
matrix07012 :thotpatrol: :cunnyEmpire: (matrix@gameliberty.club)'s status on Wednesday, 31-May-2023 18:12:46 JST matrix07012 :thotpatrol: :cunnyEmpire: @ehhh @graf already done https://github.com/matrix-org/synapse/pull/15680