A lightly modified copy of Mastodon, the canonical repository for Chinwag Social's live code. https://chinwag.au/
Find a file
Eugen Rochko 1787704e1c Improve signature verification safeguards (#8959)
* Downcase signed_headers string before building the signed string

The HTTP Signatures draft does not mandate the “headers” field to be downcased,
but mandates the header field names to be downcased in the signed string, which
means that prior to this patch, Mastodon could fail to process signatures from
some compliant clients. It also means that it would not actually check the
Digest of non-compliant clients that wouldn't use a lowercased Digest field
name.

Thankfully, I don't know of any such client.

* Revert "Remove dead code (#8919)"

This reverts commit a00ce8c92c.

* Restore time window checking, change it to 12 hours

By checking the Date header, we can prevent replaying old vulnerable
signatures. The focus is to prevent replaying old vulnerable requests
from software that has been fixed in the meantime, so a somewhat long
window should be fine and accounts for timezone misconfiguration.

* Escape users' URLs when formatting them

Fixes possible HTML injection

* Escape all string interpolations in Formatter class

Slightly improve performance by reducing class allocations
from repeated Formatter#encode calls

* Fix code style issues
2018-10-12 00:17:36 +02:00
.circleci Use CircleCI workflows for ruby dependencies (#8228) 2018-08-18 04:05:42 +02:00
.github Multiple Issue templates (#7402) 2018-05-08 13:35:33 +02:00
app Improve signature verification safeguards (#8959) 2018-10-12 00:17:36 +02:00
bin Add improved CLI interface for removing remote media (#8411) 2018-08-25 13:25:39 +02:00
config Fix that Rails.cache information could not be sent via StatsD (#8831) 2018-10-07 18:40:10 +02:00
db Add fallback for PostgreSQL without upsert in CopyStatusStats (#8903) 2018-10-07 18:42:11 +02:00
docs Fix redirect link on Tuning.md (#1595) 2017-04-12 12:40:37 +02:00
lib Bump version to 2.5.1 2018-10-07 20:13:54 +02:00
log Initial commit 2016-02-20 22:53:20 +01:00
nanobox [Nanobox] Tuning Update (#6660) 2018-03-06 21:59:35 +01:00
public update twemojie to v2 (#7911) 2018-07-06 01:58:07 +02:00
spec Improve signature verification safeguards (#8959) 2018-10-12 00:17:36 +02:00
streaming Add health endpoint to streaming API (#8441) 2018-08-26 11:54:25 +02:00
vendor/assets Initial commit 2016-02-20 22:53:20 +01:00
.babelrc Remove debug option from Babel preset env (#6852) 2018-03-21 10:26:15 +01:00
.buildpacks Add ffmpeg buildpack for scalingo (#8500) 2018-08-29 01:21:23 +02:00
.codeclimate.yml fix RuboCop error (#7442) 2018-06-04 14:49:10 +02:00
.dockerignore Add .bundle to .dockerignore (#7895) 2018-06-26 20:33:29 +02:00
.editorconfig Add final newline to locale files (#2890) 2017-05-07 19:55:47 +02:00
.env.nanobox Rename S3_CLOUDFRONT_HOST to S3_ALIAS_HOST. (#8423) 2018-08-25 13:27:08 +02:00
.env.production.sample Rename S3_CLOUDFRONT_HOST to S3_ALIAS_HOST. (#8423) 2018-08-25 13:27:08 +02:00
.env.test Add parallel test processors (#7215) 2018-04-21 21:36:22 +02:00
.env.vagrant Add a default LOCAL_DOMAIN=mastodon.dev to .env.vagrant 2017-01-26 19:22:59 +11:00
.eslintignore Dev Tooling fixes (eslint/editorconfig) (#1398) 2017-04-11 00:36:03 +02:00
.eslintrc.yml Update ESLint for Code Climate (#7696) 2018-06-01 14:03:19 +02:00
.foreman Replace sprockets/browserify with Webpack (#2617) 2017-05-03 02:04:16 +02:00
.gitattributes Add .gitattributes file to avoid unwanted CRLF (#3954) 2017-06-26 13:15:24 +02:00
.gitignore Ignore elasticsearch directory (#7070) 2018-04-08 16:57:16 +09:00
.haml-lint.yml Added haml-lint and fix warnings (#2773) 2017-05-08 03:35:25 +02:00
.nanoignore Remove Storybook (#4397) 2017-07-27 22:30:27 +02:00
.nvmrc Upgrade Node.js to v8.x on nvmrc (#8023) 2018-07-15 12:29:17 +09:00
.postcssrc.yml Add object-fit polyfill for Edge (#4182) 2017-07-14 01:59:34 +02:00
.profile Add ffmpeg and dependent packages as well as LD_LIBRARY_PATHs (#3276) 2017-05-24 17:57:33 +02:00
.rspec Adding a Mention model, test stubs 2016-02-25 00:17:01 +01:00
.rubocop.yml Fix low-hanging rubocop gripes (#8458) 2018-08-26 19:22:46 +02:00
.ruby-version Update Ruby to version 2.4.4 (#6964) 2018-04-01 23:43:08 +02:00
.scss-lint.yml Enable CodeClimate SCSS Lint checks (#2886) 2017-05-07 20:47:31 +02:00
.slugignore Remove Storybook (#4397) 2017-07-27 22:30:27 +02:00
.yarnclean Reduce container size with clean yarn (#3506) 2017-09-30 22:05:24 +02:00
app.json Change logo URL for Heroku and Scalingo (#4476) 2017-08-01 05:59:11 +02:00
Aptfile Add dependencies for uWebSockets (#7466) 2018-07-14 01:47:10 +02:00
AUTHORS.md docs: Add AUTHORS file (#6685) 2018-03-09 13:11:43 +01:00
boxfile.yml [Nanobox] Enable ElasticSearch support by default (#6977) 2018-03-31 13:17:25 +02:00
Capfile remove capistrano/faster_assets from Capfile (#2737) 2017-05-03 12:14:52 +02:00
CHANGELOG.md Bump version to 2.5.1 2018-10-07 20:13:54 +02:00
CODE_OF_CONDUCT.md Add code of conduct from GitHub generator (#5674) 2017-11-13 17:28:55 +01:00
config.ru Fix rubocop issues, introduce usage of frozen literal to improve performance 2016-11-15 16:56:29 +01:00
CONTRIBUTING.md Improve “how to translate” (#7358) 2018-05-04 18:37:37 +02:00
docker-compose.yml Update docker config and move some workers to different queues (#8345) 2018-09-02 16:13:06 +02:00
Dockerfile Dockerfile: run asset precompilation as a build step (#7780) 2018-07-15 01:19:09 +02:00
Gemfile Bump puma from 3.11.4 to 3.12.0 (#8883) 2018-10-07 18:42:04 +02:00
Gemfile.lock Bump puma from 3.11.4 to 3.12.0 (#8883) 2018-10-07 18:42:04 +02:00
jest.config.js Enable coverage for Jest (#5442) 2017-10-18 11:39:36 +02:00
LICENSE Fix #49 - License changed from GPL-2.0 to AGPL-3.0 2016-09-21 23:04:34 +02:00
package.json Redesign public profiles and toots (#8068) 2018-07-28 19:25:33 +02:00
priv-config TOR federation (#7875) 2018-06-26 20:34:12 +02:00
Procfile More robust PuSH subscription refreshes (#2799) 2017-05-05 02:23:01 +02:00
Procfile.dev Fix Procfile on OS X (#6748) 2018-03-12 03:50:40 +01:00
Rakefile Initial commit 2016-02-20 22:53:20 +01:00
README.md Update README.md 2018-09-02 18:32:25 +02:00
scalingo.json Add ffmpeg buildpack for scalingo (#8500) 2018-08-29 01:21:23 +02:00
Vagrantfile Fix nodejs 8.x install in vagrant (#8105) 2018-07-31 14:38:31 +02:00
yarn.lock Redesign public profiles and toots (#8068) 2018-07-28 19:25:33 +02:00

Mastodon

Build Status Code Climate Translation status

Mastodon is a free, open-source social network server based on open web protocols like ActivityPub and OStatus. The social focus of the project is a viable decentralized alternative to commercial social media silos that returns the control of the content distribution channels to the people. The technical focus of the project is a good user interface, a clean REST API for 3rd party apps and robust anti-abuse tools.

Click on the screenshot below to watch a demo of the UI:

Screenshot

Ruby on Rails is used for the back-end, while React.js and Redux are used for the dynamic front-end. A static front-end for public resources (profiles and statuses) is also provided.

If you would like, you can support the development of this project on Patreon.


Resources

Features

No vendor lock-in: Fully interoperable with any conforming platform

It doesn't have to be Mastodon, whatever implements ActivityPub or OStatus is part of the social network!

Real-time timeline updates

See the updates of people you're following appear in real-time in the UI via WebSockets. There's a firehose view as well!

Federated thread resolving

If someone you follow replies to a user unknown to the server, the server fetches the full thread so you can view it without leaving the UI

Media attachments like images and short videos

Upload and view images and WebM/MP4 videos attached to the updates. Videos with no audio track are treated like GIFs; normal videos are looped - like vines!

OAuth2 and a straightforward REST API

Mastodon acts as an OAuth2 provider so 3rd party apps can use the API

Fast response times

Mastodon tries to be as fast and responsive as possible, so all long-running tasks are delegated to background processing

Deployable via Docker

You don't need to mess with dependencies and configuration if you want to try Mastodon, if you have Docker and Docker Compose the deployment is extremely easy


Development

Please follow the development guide from the documentation repository.

Deployment

There are guides in the documentation repository for deploying on various platforms.

Contributing

You can open issues for bugs you've found or features you think are missing. You can also submit pull requests to this repository. Here are the guidelines for code contributions

IRC channel: #mastodon on irc.freenode.net

License

Copyright (C) 2016-2018 Eugen Rochko & other Mastodon contributors (see AUTHORS.md)

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License along with this program. If not, see https://www.gnu.org/licenses/.


Extra credits

The elephant friend illustrations are created by Dopatwo