Commit Graph

1498 Commits

Author SHA1 Message Date
Misty De Méo ba20b7d86a
Merge upstream changes from v4.0.15 (#1344)
This includes the security content of Mastodon 4.0.15/4.2.7.
https://github.com/mastodon/mastodon/releases/tag/v4.2.7

---------

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
Co-authored-by: Matt Jankowski <matt@jankowski.online>
2024-02-16 07:30:14 -08:00
Misty De Méo 3c9599f19a
Upstream backports (#1343)
This backports the commits from the upstream `stable-4.0` branch,
including the security content of
[4.2.6](https://github.com/mastodon/mastodon/releases/tag/v4.2.6).

---------

Co-authored-by: blah <blah@blah>
Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2024-02-14 10:31:19 -08:00
Jasmin 13fa4f70cc
Merge security fixes of mastodon v4.0.13 (#1340)
There were some smaller merge conflicts (e.g. in `lib/version.rb`), but
all of them were of smaller nature. Due to the fact that other v4.0.*
versions are also included, it's a bit bigger than the other PR for 3.5.

I won't repeat the changelog here, the upgrade is the usual *git pull
and restart all mastodon processes*.

---------

Co-authored-by: Michael Stanclift <mx@vmstan.com>
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
Co-authored-by: Renaud Chaput <renchap@gmail.com>
Co-authored-by: Daniel M Brasil <danielmbrasil@protonmail.com>
Co-authored-by: yufushiro <62991447+yufushiro@users.noreply.github.com>
Co-authored-by: Nicolai Søborg <NicolaiSoeborg@users.noreply.github.com>
Co-authored-by: Essem <smswessem@gmail.com>
Co-authored-by: Jakob Gillich <jakob@gillich.me>
Co-authored-by: David Aaron <1858430+suddjian@users.noreply.github.com>
Co-authored-by: Matt Jankowski <matt@jankowski.online>
2024-02-01 10:38:13 -05:00
Jasmin 3b69a29703
Merge changes of 4.0.7..4.0.10 (#1324)
This includes all changes made in
https://github.com/mastodon/mastodon/releases/tag/v4.0.7 and
https://github.com/mastodon/mastodon/releases/tag/v4.0.8 and therefore
requires:

⚠️ Restart of all Mastodon processes, especially the Streaming
API

There was a conflict during the merge inside the `streaming/index.js`,
which was related to the following snippet:

```js
      // Only send local-only statuses to logged-in users
      if (payload.local_only && !req.accountId) {
        log.silly(req.requestId, `Message ${payload.id} filtered because it was local-only`);
        return;
      }
```

I've placed it at the same spot where it was previously, so everything
should work as before. ~~**However, I still need to test those changes,
which is what I'll be doing after submitting this PR as draft.**~~

Checked the changes against our instance, everything is working as
expected as logged-in user. Haven't checked the public timelines where
the above snippet would be relevant, as we are using `AUTHORIZED_FETCH`
and I would like to keep it enabled. ^^

If the base branch is not correct, feel free to change it.

Everything is already deployed on queer.group and working fine there.

---------

Co-authored-by: Michael Stanclift <mx@vmstan.com>
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
Co-authored-by: Renaud Chaput <renchap@gmail.com>
Co-authored-by: Daniel M Brasil <danielmbrasil@protonmail.com>
Co-authored-by: yufushiro <62991447+yufushiro@users.noreply.github.com>
Co-authored-by: Nicolai Søborg <NicolaiSoeborg@users.noreply.github.com>
2023-09-19 19:49:27 -07:00
Darius Kazemi 284308dfa5 Merge tag 'v4.0.6' into hometown-4.0.6-merge 2023-07-07 11:00:22 -07:00
Claire 93a87b96c7 Fix processing of media files with unusual names (#25788) 2023-07-07 19:36:12 +02:00
Jasmin 0728a6a709
Merge upstream security fixes of v4.0.5 (#1316)
It's already running on our instance (queer.group) and working fine.

Manually reviewed the changes, hadn't found anything that could break
hometown-specific code.
And to update our instance, I also just followed the [steps on the
release](https://github.com/mastodon/mastodon/releases/tag/v4.0.5) aka
`bundle install && yarn install` followed by a restart of all processes.

---------

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
Co-authored-by: Daniel M Brasil <danielmbrasil@protonmail.com>
Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
Co-authored-by: Vyr Cossont <VyrCossont@users.noreply.github.com>
Co-authored-by: Renaud Chaput <renchap@gmail.com>
2023-07-06 12:30:13 -07:00
Claire 2119aadf0a
Merge pull request from GHSA-9928-3cp5-93fm
* Fix attachments getting processed despite failing content-type validation

* Add a restrictive ImageMagick security policy tailored for Mastodon

* Fix misdetection of MP3 files with large cover art

* Reject unprocessable audio/video files instead of keeping them unchanged
2023-07-06 15:05:05 +02:00
Renaud Chaput 94c67e8bfd Allow carets in URL search params (#25216) 2023-07-06 13:45:58 +02:00
Claire 5e55ca25d6 Fix ResolveURLService not resolving local URLs for remote content (#25637) 2023-07-06 13:45:58 +02:00
Claire 0bcb4f73f1 Change /api/v1/statuses/:id/history to always return at least one item (#25510) 2023-07-06 13:45:58 +02:00
Daniel M Brasil c285f9d1a1 Fix incorrect pagination headers in `/api/v2/admin/accounts` (#25477) 2023-07-06 13:45:58 +02:00
Claire 660845f781 Change profile updates to be sent to recently-mentioned servers (#24852) 2023-07-06 13:45:58 +02:00
Claire ebe009ff09 Fix /api/v1/conversations sometimes returning empty accounts (#25499) 2023-07-06 13:45:58 +02:00
Claire 2617c33fc3 Fix ArgumentError when loading newer Private Mentions (#25399) 2023-07-06 13:45:58 +02:00
Darius Kazemi 9fe562c31c Merge tag 'v4.0.4' into hometown-4.0.4 2023-05-19 11:25:13 +01:00
Claire 2c3cb903ad Fix misleading error code when receiving invalid WebAuthn credentials (#23568) 2023-03-16 11:58:46 +01:00
Christian Schmidt 4ea4c3f49c Unescape HTML entities (#24019) 2023-03-14 10:00:13 +01:00
Claire e2103c9175 Fix “Remove all followers from the selected domains” being more destructive than it claims (#23805) 2023-03-14 09:50:57 +01:00
Darius Kazemi 6281823df0
Add a user setting to show/hide domains on remote usernames (#1254)
Adds a user toggle in the preferences menu:

> Show full username (including domain) for remote users

It only shortens the username of local accounts. The main reason for this is so that there is a clear visual indicator of who is local on a thread -- this is important for local-only posting reasons. But we've been using it on Friend Camp for 3 years now and it's actually really nice for getting a sense of who is on what server, too.

The bulk of this work was done by Callie on Friend Camp in October 2019.

Fixes #1247
2022-12-28 10:45:04 -08:00
Darius Kazemi 60746ab437
Import/Export Domain Block Lists (#1253)
Adds buttons to Preferences -> Moderation -> Federation that allow moderators to import and export domain-level blocks.

This is coming to a future Mastodon release (I don't know which one) but I wanted to pull it in to Hometown early. Work by @clearlyclaire, @enbylenore, and @tak

Fixes #1164

Co-authored-by: Levi Bard <taktaktaktaktaktaktaktaktaktak@gmail.com>
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
Co-authored-by: Lenore Gilbert <lenore@lenoregilbert.net>
2022-12-27 17:46:53 -08:00
Darius Kazemi 840688318f Merge tag 'v4.0.0' into hometown-4.0-merge 2022-11-16 20:54:49 -08:00
Darius Kazemi f5ffda7cf3 Merge tag 'v3.5.4' into hometown-dev 2022-11-14 11:47:27 -08:00
Eugen Rochko 21fd25a269
Fix rate limiting for paths with formats (#20675) 2022-11-14 20:26:31 +01:00
Claire 47eaf85f02 Fix crash when a remote Flag activity mentions a private post (#18760)
* Add tests

* Fix crash when a remote Flag activity mentions a private post
2022-11-14 11:20:41 +01:00
trwnh b59ce0a60f
Move V2 Filter methods under /api/v2 prefix (#20622)
* Move V2 Filter methods under /api/v2 prefix

* move over the tests too
2022-11-14 08:34:07 +01:00
Eugen Rochko 552d69ad96
Fix error when invalid domain name is submitted (#19474)
Fix #19175
2022-11-14 08:07:14 +01:00
Eugen Rochko b31afc6294
Fix error when passing unknown filter param in REST API (#20626)
Fix #19156
2022-11-14 08:06:06 +01:00
Hampton Lintorn-Catlin 147d8bd8fc
Support UTF-8 Characters in Domains During CSV Import (#20592)
* Support UTF-8 Characters in Domains During Import

* Update Changelong
2022-11-14 05:52:13 +01:00
Emily Strickland c2231539c7
Test blank account field verifiability (#20458)
* Test blank account field verifiability

This change tests the need for #20428, which ensures that we guard against a situation in which `at_xpath` returns `nil`.

* Test verifiability of blank fields for remote account profiles

This adds a counterpart test for remote account profiles' fields' verifiability when those fields are blank. I previously added the same test for local accounts.
2022-11-13 21:02:09 +01:00
Darius Kazemi e70e576ba5
Merge pull request #1193 from johnholdun/local-only-public-hashtag
Hide local-only posts from public tag view
2022-11-11 16:01:30 -08:00
Darius Kazemi fe340a6a80
Merge pull request #1196 from johnholdun/hide-private-pinned-statuses
Hide follower-only pinned statuses from logged-out users
2022-11-11 15:58:37 -08:00
Claire 035470e081 Fix backend compatibility with OpenSSL 3.0 (#18449)
* Update webpush to fork with OpenSSL 3 compatibility

* Fix tests with OpenSSL 3.0

* Update webauthn gem to latest release and update dependencies
2022-11-11 14:56:24 -08:00
Darius Kazemi e311837121 Merge tag 'v3.5.3' into hometown-3.5.3-merge 2022-11-11 14:50:45 -08:00
F d4f973227c
Test the native_locale_name of a non-standard locale (#20284)
`:en` is English for both `standard_locale_name` and
`native_locale_name`, and so makes for a poor test candidate for
differentiating between them.
2022-11-11 00:06:18 +01:00
Eugen Rochko 9965a23b04
Change link verification to ignore IDN domains (#20295)
Fix #3833
2022-11-10 06:27:45 +01:00
John Holdun 7eedaeb007 Hide follower-only pinned statuses from logged-out users
Fixes #1178
2022-11-09 18:51:46 -08:00
John Holdun 6e2ed8a8f9 Hide local-only posts from public tag view
Fixes #1180
2022-11-09 16:34:09 -08:00
Eugen Rochko e98833748e
Fix being able to spoof link verification (#20217)
- Change verification to happen in `default` queue
- Change verification worker to only be queued if there's something to do
- Add `link` tags from metadata fields to page header of profiles
2022-11-09 08:24:21 +01:00
luzpaz 6ba52306f9
Fix typos (#19849)
Found via `codespell -q 3 -S ./yarn.lock,./CHANGELOG.md,./AUTHORS.md,./config/locales,./app/javascript/mastodon/locales -L ba,followings,keypair,medias,pattens,pixelx,rememberable,ro,te`
2022-11-08 17:32:03 +01:00
Roni Laukkarinen 36b0ff57b7
Fix grammar (#20106) 2022-11-08 16:35:42 +01:00
Claire bbf74498f5
Fix validation error in SynchronizeFeaturedTagsCollectionWorker (#20018)
* Fix followers count not being updated when migrating follows

Fixes #19900

* Fix validation error in SynchronizeFeaturedTagsCollectionWorker

Also saves remote user's chosen case for hashtags

* Limit remote featured tags before validation
2022-11-07 22:35:53 +01:00
Claire 3114c826a7
Fix filter handling in status cache hydration (#19963) 2022-11-07 19:47:48 +01:00
Claire 5925a31b78
Fix followers count not being updated when migrating follows (#19998)
Fixes #19900
2022-11-07 15:38:55 +01:00
Claire bb89f83cc0
Fix additional issues with status cache hydration (#19747)
* Spare one SQL query when hydrating polls

* Improve tests

* Fix more discrepancies

* Fix possible crash when the status has no application set
2022-11-04 20:01:33 +01:00
Claire 03b991de6c
Fix various issues with store hydration (#19746)
- Improve tests
- Fix possible crash when application of a reblogged post isn't set
- Fix discrepancies around favourited and reblogged attributes
- Fix discrepancies around pinned attribute
- Fix polls not being hydrated
2022-11-04 19:33:16 +01:00
Eugen Rochko 5f9e47be34
Add caching for payload serialization during fan-out (#19642) 2022-11-04 13:21:06 +01:00
Claire 4fb0aae636
Change mentions of blocked users to not be processed (#19725)
Fixes #19698
2022-11-04 13:19:12 +01:00
Claire 9387beb3b3
Change flaky AccountSearchService test (#19650) 2022-11-03 23:12:08 +01:00
Claire 1dca08b76f
Fix admin action logs page (#19649)
* Add tests

* Fix crash when trying to display orphaned action logs

* Add migration for older admin action logs
2022-11-03 16:06:42 +01:00