mirror of https://akkoma.dev/AkkomaGang/akkoma
96fe080e6e
Notably at least two instances were not properly guarded from path traversal attack before and are only now fixed by using SafeZip: - frontend installation did never check for malicious paths. But given a malicious froontend could already, e.g. steal all user tokens even without this, in the real world admins should only use frontends from trusted sources and the practical implications are minimal - the emoji pack update/upload API taking a ZIP file did not protect against path traversal. While atm only admins can use these emoji endpoints, emoji packs are typically considered "harmless" and used without prior verification from various sources. Thus this appears more concerning. |
||
|---|---|---|
| .. | ||
| ecto | ||
| search | ||
| activity.ex | ||
| app.ex | ||
| benchmark.ex | ||
| config.ex | ||
| count_statuses.ex | ||
| database.ex | ||
| diagnostics.ex | ||
| digest.ex | ||
| docs.ex | ||
| ecto.ex | ||
| email.ex | ||
| emoji.ex | ||
| frontend.ex | ||
| instance.ex | ||
| notification_settings.ex | ||
| openapi_spec.ex | ||
| refresh_counter_cache.ex | ||
| relay.ex | ||
| robots_txt.ex | ||
| search.ex | ||
| security.ex | ||
| uploads.ex | ||
| user.ex | ||