This includes the security content of Mastodon 4.0.15/4.2.7.
https://github.com/mastodon/mastodon/releases/tag/v4.2.7
---------
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
Co-authored-by: Matt Jankowski <matt@jankowski.online>
This backports the commits from the upstream `stable-4.0` branch,
including the security content of
[4.2.6](https://github.com/mastodon/mastodon/releases/tag/v4.2.6).
---------
Co-authored-by: blah <blah@blah>
Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
There were some smaller merge conflicts (e.g. in `lib/version.rb`), but
all of them were of smaller nature. Due to the fact that other v4.0.*
versions are also included, it's a bit bigger than the other PR for 3.5.
I won't repeat the changelog here, the upgrade is the usual *git pull
and restart all mastodon processes*.
---------
Co-authored-by: Michael Stanclift <mx@vmstan.com>
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
Co-authored-by: Renaud Chaput <renchap@gmail.com>
Co-authored-by: Daniel M Brasil <danielmbrasil@protonmail.com>
Co-authored-by: yufushiro <62991447+yufushiro@users.noreply.github.com>
Co-authored-by: Nicolai Søborg <NicolaiSoeborg@users.noreply.github.com>
Co-authored-by: Essem <smswessem@gmail.com>
Co-authored-by: Jakob Gillich <jakob@gillich.me>
Co-authored-by: David Aaron <1858430+suddjian@users.noreply.github.com>
Co-authored-by: Matt Jankowski <matt@jankowski.online>
Conflict resolution:
- app/javascript/mastodon/features/compose/components/search_results.jsx:
taken as is
- app/models/account.rb: use upstream SQL queries for filtering
- app/models/media_attachment.rb: use upstream ffmpeg settings
- config/locales/de.yml: merged
- cli: followed upstream
- version.rb: followed upstream, since we can use environment variables for the suffix now
- lib/paperclip: chose their spoof detector
- lib/sanitize: merged h1-h6 into supported elements, allowed translated attribute
- config/environments: follow upstream
- config/initializers: follow upstream
- config/application.rb: follow upstream
- config/locales: translations with %{title} prefix were replaced with hardcoded "Mastodon:" prefixes, should be fixed afterwards
it's inconsistent anyway right now
- config/settings: removed settings that were removed in upstream
- config/routes: followed upstream, due to API restructurings. Is there some hometown-specific API stuff that might be missing now?
- spec/: followed upstream, might have lost hometown-specific tests, but I haven't found any on a quick check
- .ruby-version, Gemfile, etc.: upstream
- .github/workflows: upstream
- about: followed upstream, therefore the static homepage is gone :/
- credentials: moved federation into the settings_attributes
- lists: follow upstream, `:is_exclusive` -> `:exclusive`
- statuses: keep local only
- account_statuses_filter: still hide local only posts for anonymous users
- activitypub/activity/create:
- keep activity_pub_type in params
- text: use hometown's way for determining the content
- spoiler: use hometown's mechanism
- feed_manager: use upstream exclusive list mechanism
- plain_text_formatter: use upstream way with html decoding, as I'm not sure whether we still have the Nokogiri library(?) available
problem: might remove tags that we want to keep?
- text_formatter: follow upstream
- account: use upstream MENTION_RE expression
- backup: follow upstream for permission validation
- list: follow upstream, is_exclusive -> exclusive !! WE MIGHT NEED A MIGRATION!
- status: moved set_locality hook to the others
- user: delegates for settings (federation, autoplay, etc.) were removed upstream, follow them
- webhook: follow upstream
- initial_state_serializer: keep max_toot_chars
- list_serializer: follow rename of is_exclusive -> exclusive
Use upstream version, since the translation API got upgraded to v2.
Use upstream version of vote_validator.
- admin/webhooks/_form: add group for template
- settings/preferences/appearance/show: add new input for 'expand_usernames'
check: missing translations, especially for hints
- settings/preferences/other/show: added input groups for no_rss and default_privacy
check: missing translations, especially for hints
- settigngs/profiles: upstream removed verification banner, follow them
Followed upstream changes.
Incorporated upstream changes and put the local_only check back in the correct place.
Ignored hometown changes, take upstream version.
- actions/lists: follow exclusive list naming
- components/column_back_button: follow upstream router refactoring
- components/column_header: follow upstream router refactoring
- components/hashtag: keep hometown behaviour, add href to links
- components/media_gallery: merge alt text indicator into upstream
- components/status: merge timestamp click -> original page
- components/status_action_bar: upstream removed the share button, follow them
- components/status_content:
- still make remote usernames => check: does the new href work?
- make translate button always visible like upstream
- keep hometown-specific changes for Articles and other posts
- features/header: keep header link
- features/account_gallery/components/media_item: keep link
- features/audio/index: keep no media description indicator, merge upstream styles
- features/compose/components/compose_form:
- merge max chars logic
- merge federation dropdown
- features/compose/components/navigation_bar: keep href to profile
- features/compose/components/poll_form: keep "is multiple" toggle
- features/compose/index: keep column header
- features/follow_requests/components/account_authorize: keep external link
- features/list_editor/components/edit_list_form: overwritten from upstream
- features/list_timeline/index: overwritten from upstream
- features/components/follow_request: keep external link
- features/components/notification: keep external link
- features/picture_in_picture/components/footer: keep external link
- features/status/components/detailed_status: keep external link
- features/ui/components/boost_modal: keep external link
- features/ui/index: merge upstream changes
- features/video/: keep no media description indicator
- containers/status_container: overwrite with upstream
- locales: best-effort merge, but I wouldn't trust it. should be normalized in some way.
Conflict only in streaming/index.js, apparently a lot of the previous
changes were reverted. Checked out the state of v4.1.6 and manually
added the local_only filter back.
Darius Kazemi
Claire
nachtjasmin
Tim Rogers
Matt Jankowski
Misty De Méo