**webb** @w@arachnid.town · May 26, 2023, 21:09

**webb** @w@arachnid.town · May 26, 2023, 21:09

webb @w@arachnid.town

May 26, 2023, 21:09

I wrote a little blogpost on how you can mitigate the recent Pleroma vulnerabilities if you're using nginx:

https://webb.spiderden.org/2023/05/26/pleroma-mitigation/

**m0xEE** @m0xee@librem.one · May 27, 2023, 05:29

**m0xEE** @m0xee@librem.one · May 27, 2023, 05:29

May 27, 2023, 05:29

m0xEE @m0xee@librem.one

@w Nice guide!
I only have one question: why reconfigure Pleroma to use the subdomain for uploads if I set up a redirect anyway? When permanent fix arrives I can just get rid of the subdomain, but if I reconfigure Pleroma, URLs in new posts would have the subdomain in them so I would have to keep it up (and its cert) forever so the links to images don't become broken.

**webb** @w@arachnid.town · May 27, 2023, 11:21

**webb** @w@arachnid.town · May 27, 2023, 11:21

May 27, 2023, 11:21

webb @w@arachnid.town

@m0xee Because the issue is the resource itself being fetched on the root domain.

**m0xEE** @m0xee@librem.one · May 27, 2023, 11:44

**m0xEE** @m0xee@librem.one · May 27, 2023, 11:44

May 27, 2023, 11:44

m0xEE @m0xee@librem.one

@w No, I get it, but if redirect fixes it for old posts, why won't it do the trick for new ones? Why is it necessary for newer post to contain direct links to https://media.my.domain, not the usual https://my.domain/media, that get redirected to https://media.my.domain?
Is it assumed that older posts don't contain the malicious script, but newer ones might? Is redirect treated differently from XSS perspective?

**m0xEE** @m0xee@librem.one · 2023-05-27T11:46:11Z

m0xEE @m0xee@librem.one

@w Ugh! Link parser ate the https://, but I think you get the idea 😅

May 27, 2023, 11:46 · Web · · ·