Commit graph

10597 commits

Author SHA1 Message Date
Eugen Rochko
d4ee7e8e8c Bump version to 3.4.8 2022-05-26 22:13:33 +02:00
Eugen Rochko
104fdaf446 Fix concurrent unfollowing decrementing follower count more than once 2022-05-26 18:59:55 +02:00
Eugen Rochko
a3909514bf Fix being able to report otherwise inaccessible statuses 2022-05-26 18:59:55 +02:00
Eugen Rochko
6c685f955a Fix suspended users being able to access APIs that don't require a user 2022-05-26 17:37:25 +02:00
Eugen Rochko
5e6801f6d7 Fix empty votes arbitrarily increasing voters count in polls 2022-05-26 17:36:04 +02:00
Eugen Rochko
fb87d6adc2 Fix confirmation redirect to app without Location header 2022-05-26 17:35:32 +02:00
Eugen Rochko
2a28247f22 Bump version to 3.4.7 2022-03-30 15:12:11 +02:00
Eugen Rochko
cc706b1191 Fix being able to post URLs longer than 4096 characters 2022-03-30 14:30:04 +02:00
Eugen Rochko
ec1bb2a4fe Fix being able to bypass e-mail restrictions 2022-03-30 14:30:04 +02:00
Claire
93a6c143af
Fix insufficient sanitization of report comments (#17430) 2022-02-03 14:08:24 +01:00
Claire
bb7b2868a0 Bump version to 3.4.6 2022-02-02 23:48:38 +01:00
Wonderfall
a06dda41d0 disable legacy XSS filtering (#17289)
Browsers are phasing out X-XSS-Protection, but Safari and IE still support it.
2022-02-02 23:30:15 +01:00
Claire
bf005edd30 Change mastodon:webpush:generate_vapid_key task to not require functional env (#17338)
Fixes #17297
2022-02-02 23:30:15 +01:00
Claire
df68d2eab8 Fix response_to_recipient? CTE 2022-02-02 23:30:15 +01:00
Claire
b27f50da5a Fix insufficient sanitization of report comments 2022-02-02 23:30:15 +01:00
Claire
e2009ced3a Fix compacted JSON-LD possibly causing compatibility issues on forwarding 2022-02-02 23:30:15 +01:00
Puck Meerburg
fe0210074f Compact JSON-LD signed incoming activities 2022-02-02 23:30:15 +01:00
Claire
c8dbbd60eb Fix error-prone SQL queries (#15828)
* Fix error-prone SQL queries in Account search

While this code seems to not present an actual vulnerability, one could
easily be introduced by mistake due to how the query is built.

This PR parameterises the `to_tsquery` input to make the query more robust.

* Harden code for Status#tagged_with_all and Status#tagged_with_none

Those two scopes aren't used in a way that could be vulnerable to an SQL
injection, but keeping them unchanged might be a hazard.

* Remove unneeded spaces surrounding tsquery term

* Please CodeClimate

* Move advanced_search_for SQL template to its own function

This avoids one level of indentation while making clearer that the SQL template
isn't build from all the dynamic parameters of advanced_search_for.

* Add tests covering tagged_with, tagged_with_all and tagged_with_none

* Rewrite tagged_with_none to avoid multiple joins and make it more robust

* Remove obsolete brakeman warnings

* Revert "Remove unneeded spaces surrounding tsquery term"

The two queries are not strictly equivalent.

This reverts commit 86f16c537e06c6ba4a8b250f25dcce9f049023ff.
2022-02-02 23:30:15 +01:00
Claire
6d831fe274
Fix spurious errors when receiving an Add activity for a private post (#17425) 2022-02-02 22:59:34 +01:00
Claire
1c8c318281 Bump version to 3.4.5 2022-01-31 18:04:24 +01:00
Claire
d722222fe1 Add more advanced migration tests (#17393)
- populate the database with some data when testing migrations
- try both one-step and two-step migrations (`SKIP_POST_DEPLOYMENT_MIGRATIONS`)
2022-01-31 11:23:58 +01:00
Claire
03f0e98b32 Fix followers synchronization mechanism not working when URI has empty path (#16510)
* Fix followers synchronization mechanism not working when URI has empty path

To my knowledge, there is no current implementation on the fediverse
that can use bare domains (e.g., actor is at https://example.org instead of
something like https://example.org/actor) that also plans to support the
followers synchronization mechanism. However, Mastodon's current implementation
would exclude such accounts from followers list.

Also adds tests and rename them to reflect the proper method names.

* Move url prefix regexp to its own constant
2022-01-31 10:59:00 +01:00
Eugen Rochko
2c83b9076d Add manual GitHub Actions runs (#17000) 2022-01-31 10:35:55 +01:00
Eugen Rochko
c8301bcfc3 Change workflow to push to Docker Hub (#16980) 2022-01-31 10:35:38 +01:00
Yusuke Nakamura
0ae91e45de Build container image by GitHub Actions (#16973)
* Build container image by GitHub Actions

* Trigger docker build only pushed to main branch

* Tweak tagging imgae

- "edge" is the main branch
- "latest" is the tagged latest release
2022-01-31 10:35:14 +01:00
Claire
2363b026e6 Bump ruby-saml from 1.11.0 to 1.13.0 (#16723)
Fixes #16720
2022-01-31 10:33:47 +01:00
Jeong Arm
959234c1e4 Save bundle config as local (#17188)
Some bundle options are saved as global user config and not project local.
Specially, `deployment` must be saved as local config to be run on copied environment
2022-01-31 10:32:46 +01:00
Claire
0dc103ea11 Fix edge case in migration helpers that caused crash because of PostgreSQL quirks (#17398) 2022-01-31 10:31:56 +01:00
Claire
b782f86b51 Fix some old migration scripts (#17394)
* Fix some old migration scripts

* Fix edge case in two-step migration from older releases
2022-01-31 10:31:36 +01:00
Eugen Rochko
fd868f8ca0 Bump version to 3.4.4 2021-11-26 01:32:31 +01:00
Claire
4cd33a2c71 Fix "bundle exec rails mastodon:setup" crashing in some circumstances (#16976)
Fix regression from #16896
2021-11-26 01:31:28 +01:00
Claire
f264cca1d2 Fix filtering DMs from non-followed users (#17042) 2021-11-26 01:22:33 +01:00
Claire
5e4b04de88 Fix handling of recursive toots in WebUI (#17041) 2021-11-26 01:22:27 +01:00
Claire
3c18311d86 Fix error when suspending user with an already-existing canonical email block (#17036)
* Fix error when suspending user with an already-existing canonical email block

Fixes #17033

While attempting to create a `CanonicalEmailBlock` with an existing hash would
raise an `ActiveRecord::RecordNotUnique` error, this being done within a
transaction would cancel the whole transaction. For this reason, checking for
uniqueness in Rails would query the database within the transaction and avoid
invalidating the whole transaction for this reason.

A race condition is still possible, where multiple accounts sharing a canonical
email would be blocked in concurrent transactions, in which only one would
succeed, but that is way less likely to happen that the current issue, and can
always be retried after the first failure, unlike the current situation.

* Add tests
2021-11-26 01:22:10 +01:00
Claire
e5113a8cad Fix overflow of long profile fields in admin view (#17010) 2021-11-26 01:21:57 +01:00
Claire
22cd1e6ab5 Fix confusing error when webfinger request returns empty document (#16986)
For some reason, some misconfigured servers return an empty document when
queried over webfinger. Since an empty document does not lead to a parse
error, the error is not caught properly and triggers uncaught exceptions
later on.

This PR fixes that by immediately erroring out with `Webfinger::Error` on
getting an empty response.
2021-11-26 01:21:50 +01:00
Claire
e65ede1ac5 Fix upload of remote media with OpenStack Swift sometimes failing (#16998)
Under certain conditions, files fetched from remotes trigger an error when
being uploaded using OpenStack Swift. This is because in some cases, the
remote server will not return a content-length, so our ResponseWithLimitAdapter
will hold a `nil` value for `#size`, which will lead to an invalid value
for the Content-Length header of the Swift API call.

This commit fixes that by taking the size from the actually-downloaded file
size rather than the upstream-provided Content-Length header value.
2021-11-26 01:21:43 +01:00
Takeshi Umeda
1bcb3daf7e Fix logout link not working in safari (#16574) 2021-11-26 01:21:37 +01:00
Claire
9c610ca0a4 Fix “open” link of media modal not closing modal (#16524) 2021-11-26 01:21:29 +01:00
Claire
77d0297313 Fix replying from modal (#16516)
Fixes #16515

Not using a router object somehow made `this.history` lag behind the real
browser history whenever pushing a new history item in `replyCompose`.

Not using the context-provided router in this case was an oversight made
when porting glitch-soc changes in #16499.
2021-11-26 01:21:21 +01:00
Eugen Rochko
4b6668868e Bump version to 3.4.3 2021-11-06 05:19:38 +01:00
Eugen Rochko
5c47a18c8d Fix login being broken due to inaccurately applied backport fix in 3.4.2
See #16943
2021-11-06 05:17:39 +01:00
Eugen Rochko
8a74d851d2 Bump version to 3.4.2 2021-11-06 00:24:30 +01:00
Claire
76c2028859 Fix AccountNote not having a maximum length (#16942) 2021-11-06 00:17:05 +01:00
Claire
3251b8eead Fix reviving revoked sessions and invalidating login (#16943)
Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.

We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.

In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
  of them

This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-11-06 00:17:05 +01:00
Claire
f60bb0784f Fix handling announcements with links (#16941)
Broken since #15827
2021-11-06 00:07:17 +01:00
Claire
c3a6f7b941 Fix user email address being banned on self-deletion (#16503)
* Add tests

* Fix user email address being banned on self-deletion

Fixes #16498
2021-11-05 23:46:24 +01:00
Claire
986397b3a2 Improve modal flow and back button handling (#16499)
* Refactor shouldUpdateScroll passing

So far, shouldUpdateScroll has been manually passed down from the very top of
the React component hierarchy even though it is a static function common to
all ScrollContainer instances, so replaced that with a custom class extending
ScrollContainer.

* Generalize “press back to close modal” to any modal and to public pages

* Fix boost confirmation modal closing media modal
2021-11-05 23:46:24 +01:00
Claire
c79d4711e9 Change references to tootsuite/mastodon to mastodon/mastodon (#16491)
* Change references to tootsuite/mastodon to mastodon/mastodon

* Remove obsolete test fixture

* Replace occurrences of tootsuite/mastodon with mastodon/mastodon in CHANGELOG

And a few other places
2021-11-05 23:46:24 +01:00
Claire
be56033715 Change number_to_human calls to always use 3-digits precision (#16469)
Fixes #16435
2021-11-05 23:46:24 +01:00