Have you ever tried downloading an emoji pack from a server? No? Well that's the vulnerable code.
Anyway, hopefully everyone is using s3 for uploads by now and has the dedupe filter enabled.
Patch is being merged into Rebased now: https://gitlab.com/soapbox-pub/rebased/-/merge_requests/263
A patch was ready yesterday but I figured I'd wait til after it landed upstream first.
quotingA new Pleroma security release is out that you should install immediately. If you can not do so for some reason, activate filename anonymization.
note1ch0…p442
Thanks to feld (npub1yck…ujmw) and Haelwenn /элвэн/ :triskell: (npub1ysu…2jyl) for handling this so quickly!
https://pleroma.social/announcements/2023/08/04/pleroma-security-release-2.5.3/