the file has been deleted (was several days ago) and i have disabled pleroma FE for now until this vulnerability has been dealt with
just FYI matrix-synapse is also vulnerable to this. if you run a matrix-synapse homeserver here are instructions to fix this vulnerability in your homeserver
1. Upgrade, then find Synapse
Ensure that you are running 1.82.0 or higher. This patch may work on older versions of Synapse but if it breaks something then it’s up to you to fix it.
To apply this hotfix, you will need to be able to modify synapse source code. You should be able to find synapse by using find and searching for synapse filenames.
2. Then Backup synapse/media/_base.py
Run cp synapse/media/_base{,.orig}.py to create a backup of _base.py so this change can be rolled back. You may need to update synapse before applying this patch!
3. Apply patch
Save the following as _base.diff
52a53,58 > HOTSERVE_CONTENT_TYPES = [ > "audio/", > "video/", > "image/" > ] > 153a160,166 > # Only hotserve "safe" mimetypes, force download everything else > disposition_type = "attachment" > for mime in HOTSERVE_CONTENT_TYPES: > if media_type.lower().startswith(mime): > disposition_type = "inline" > break > 176c189 < disposition = "inline; filename=%s" % (upload_name,) --- > disposition = "%s; filename=%s" % (disposition_type, upload_name,) 178c191 < disposition = "inline; filename*=utf-8''%s" % (_quote(upload_name),) --- > disposition = "%s; filename*=utf-8''%s" % (disposition_type, _quote(upload_name),)
In synapse/media, run the following:
$ patch patch _base.py _base.diff
4. Check resulting hashes
The hashes of _base.py should be the following.
$ sha256sum _base{.orig,}.py d6419fc1c1c4f55ccfd6b9a1514a874eed09650aef1c3ef461e96b8f72cbbd68 _base.orig.py 72d2dec451c1b0b147d15013e7147c3335a98d20eff05cfbf1984e6215ca7415 _base.py
