Official blog of Pixelfed
TL;DR Update PHP to 7.3.11+ ASAP, a recent CVE has demonstrated RCE in certain nginx/php-fpm configurations
We have become aware of a new security risk that has emerged within the past few days. This exploit is bad, allowing remote code execution on certain nginx/php-fpm configurations. If you donβt run NGINX, this does not affect you.
We recommend updating to PHP v 7.3.11 or later as soon as possible. If you used our example nginx configuration, please update the following code from:
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
to:
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
try_files $fastcgi_script_name =404;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
If you have any questions, join our #pixelfed channel on Freenode!
β Pixelfed Team
TL;DR: We are using snowflake ids as primary keys for posts and profiles as auto-incremented ids have many setbacks
Earlier this year we rolled out a new type of identifier for posts and profiles. Snowflake ids are unique ID numbers that scale across multiple app and database servers without requiring a central or distributed source.
We decided to make this change for the following reasons: β Scales better (supports region/datacenter and worker ids) β Better Privacy (more difficult to enumerate ids) β Ability to support over 10k ids per second across workers β Easier to order/sort compared to hashids/uuids/base62 β Supported for 69 years based on our epoch of February 2019
We look forward to adding snowflake id support to the rest of the code base in the coming months!
β Pixelfed Team
Welcome to the official Pixelfed blog, hosted by our friends Write.as.
We look forward to sharing more in-depth blog posts this summer!