Commit Graph

12317 Commits

Author SHA1 Message Date
Darius Kazemi b9c1f93dae Merge tag 'v3.5.19' into hometown-1.0.8-security 2024-02-16 07:45:27 -08:00
Darius Kazemi 23cdd0cd4f Merge tag 'v3.5.18' into hometown-1.0.8-security 2024-02-16 07:45:20 -08:00
Claire e9123ad691 Bump version to v3.5.19 2024-02-16 11:57:45 +01:00
Claire c397c1a9e3
Merge pull request from GHSA-jhrq-qvrm-qr36
* Fix insufficient Content-Type checking of fetched ActivityStreams objects

* Allow JSON-LD documents with multiple profiles
2024-02-16 11:56:12 +01:00
Claire d509b6b342 Fix user creation failure handling in OmniAuth paths (#29207)
Co-authored-by: Matt Jankowski <matt@jankowski.online>
2024-02-14 23:26:29 +01:00
Claire 44c265e4c7 Bump version to v3.5.18 2024-02-14 15:17:48 +01:00
Claire 4a57e44809
Merge pull request from GHSA-vm39-j3vx-pch3
* Prevent different identities from a same SSO provider from accessing a same account

* Lock auth provider changes behind `ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true`

* Rename methods to avoid confusion between OAuth and OmniAuth
2024-02-14 15:16:07 +01:00
Claire 47c6079d8d
Merge pull request from GHSA-7w3c-p9j8-mq3x
* Ensure destruction of OAuth Applications notifies streaming

Due to doorkeeper using a dependent: delete_all relationship, the destroy of an OAuth Application bypassed the existing AccessTokenExtension callbacks for announcing destructing of access tokens.

* Ensure password resets revoke access to Streaming API

* Improve performance of deleting OAuth tokens

---------

Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
2024-02-14 15:15:34 +01:00
Claire 69205dff9a Add `sidekiq_unique_jobs:delete_all_locks` task and disable `sidekiq-unique-jobs` UI by default (#29199) 2024-02-14 13:18:08 +01:00
Emelia Smith d187195f2c Disable administrative doorkeeper routes (#29187) 2024-02-14 12:13:33 +01:00
blah 3387868dd9 Update dependency sidekiq-unique-jobs to 7.1.33 2024-02-14 12:13:33 +01:00
blah 3ba6ed76ea Update dependency nokogiri to 1.16.2 2024-02-14 12:13:33 +01:00
Jasmin 3fd984f95c
Merge security fixes of v3.5.17 (#1341)
_todo_

---------

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
Co-authored-by: Essem <smswessem@gmail.com>
Co-authored-by: Jakob Gillich <jakob@gillich.me>
Co-authored-by: David Aaron <1858430+suddjian@users.noreply.github.com>
Co-authored-by: Matt Jankowski <matt@jankowski.online>
Co-authored-by: Jonathan de Jong <jonathandejong02@gmail.com>
2024-02-01 10:37:20 -05:00
Claire b1ed009c65
Merge pull request from GHSA-3fjr-858r-92rw
* Fix insufficient origin validation

* Bump version to v3.5.17
2024-02-01 15:56:46 +01:00
Claire 35f21191ee Bump version to v3.5.16 2023-12-04 15:27:44 +01:00
Claire 2ffce0d5f7 Fix processing LDSigned activities from actors with unknown public keys (#27474) 2023-12-04 15:27:44 +01:00
Claire 688defd60d Change GIF max matrix size error to explicitly mention GIF files (#27927) 2023-12-04 15:27:44 +01:00
Jonathan de Jong d9b05f6860 Have `Follow` activities bypass availability (#27586)
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2023-12-04 15:27:44 +01:00
Claire f3fd8d8695 Clamp dates when serializing to Elasticsearch API (#28081) 2023-12-04 15:27:44 +01:00
Claire 49693fe42f Fix incoming status creation date not being restricted to standard ISO8601 (#27655) 2023-12-04 15:27:44 +01:00
Claire 16262f815d Fix posts from force-sensitized accounts being able to trend (#27620) 2023-12-04 15:27:44 +01:00
Claire d4e0a12b27 Change Content-Security-Policy to be tighter on media paths (#26889) 2023-12-04 15:27:44 +01:00
Claire db59d8486b Bump version to v3.5.15 2023-10-10 13:50:10 +02:00
Matt Jankowski 7fb3ee0bc6 Dont match mention in url query string (#25656)
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2023-10-10 13:50:10 +02:00
David Aaron 9bd027823d Change min age of backup policy from 1 week to 6 days (#27200) 2023-10-10 13:50:10 +02:00
Jakob Gillich 57d4d46050 Fix importer returning negative row estimates (#27258) 2023-10-10 13:50:10 +02:00
Claire c91116f780 Fix filtering audit log for entries about disabling 2FA (#27186) 2023-10-10 13:50:10 +02:00
Essem f45b5f5006 Properly remove tIME chunk from PNG uploads (#27111) 2023-10-10 13:50:10 +02:00
Claire 47441e51f3 Fix crash when filtering for “dormant” relationships (#27306) 2023-10-10 13:50:10 +02:00
Claire af02650322 Fix inefficient queries in “Follows and followers” as well as several admin pages (#27116) 2023-10-10 13:50:10 +02:00
Darius Kazemi 1eaaff303c Merge tag 'v3.5.14' into hometown-3.5.14-merge 2023-09-19 19:30:03 -07:00
Claire 75346a71f7 Bump version to v3.5.14 2023-09-19 17:01:17 +02:00
Claire 49af3e26dc Fix moderator rights inconsistencies (#26729) 2023-09-19 17:01:17 +02:00
Claire 412c3e13ec Fix crash when encountering invalid URL (#26814) 2023-09-19 17:01:17 +02:00
Claire 31c5e63a58 Fix cached posts including stale stats (#26409) 2023-09-19 17:01:17 +02:00
Nicolai Søborg e8eeb746ac Fix `frame_rate` for videos where `ffprobe` reports 0/0 (#26500) 2023-09-19 17:01:17 +02:00
yufushiro 0158c31c02 Fix unexpected audio stream transcoding when uploaded video is eligible to passthrough (#26608)
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2023-09-19 17:01:17 +02:00
Claire 9deb178126
Merge pull request from GHSA-v3xf-c9qf-j667 2023-09-19 16:53:58 +02:00
Claire 8e6fe19225
Change Dockerfile to upgrade packages when building (#26931)
Co-authored-by: Renaud Chaput <renchap@gmail.com>
2023-09-18 08:31:53 +02:00
Claire 4eb709ea7e
Update actions for stable-3.5 (#26804)
Co-authored-by: Renaud Chaput <renchap@gmail.com>
2023-09-06 09:18:28 +02:00
Claire 86a31fc019
Fix Dockerfile installing incompatible npm version (#26803) 2023-09-05 17:46:39 +02:00
Claire 16e47e1aae Bump version to v3.5.13 2023-09-05 17:22:43 +02:00
Emelia Smith dcffd6b3d7 Allow reports with long comments from remote instances, but truncate (#25028) 2023-09-05 17:22:43 +02:00
Daniel M Brasil 8de0f7e198 Fix `/api/v1/timelines/tag/:hashtag` allowing for unauthenticated access when public preview is disabled (#26237) 2023-09-05 17:22:43 +02:00
Claire e37551421e Fix blocking subdomains of an already-blocked domain (#26392) 2023-09-05 17:22:43 +02:00
Claire 2e0eab9d18 Change text extraction in `PlainTextFormatter` to be faster (#26727) 2023-09-05 17:22:43 +02:00
Claire ce75c175cd
Backport container build changes to the stable-3.5 branch (#26742)
Co-authored-by: Renaud Chaput <renchap@gmail.com>
2023-08-31 19:54:17 +02:00
Claire a3d31ffc1e Bump version to v3.5.12 2023-07-31 14:33:27 +02:00
Emelia Smith 50f4af28b0 Fix: Streaming server memory leak in HTTP EventSource cleanup (#26228) 2023-07-31 14:33:27 +02:00
Claire e655b35d7e Fix incorrect connect timeout in outgoing requests (#26116) 2023-07-31 14:33:27 +02:00