From 25f132365f005d76bf9b3e38a55585f15d2a37fc Mon Sep 17 00:00:00 2001 From: KMY Date: Fri, 6 Sep 2024 07:28:29 +0900 Subject: [PATCH 01/20] Bump version to 14.0 --- lib/mastodon/version.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb index 522c092f81..7f7330961f 100644 --- a/lib/mastodon/version.rb +++ b/lib/mastodon/version.rb @@ -14,8 +14,8 @@ module Mastodon def kmyblue_flag # 'LTS' - 'dev' - # nil + # 'dev' + nil end def major From 14f2ffa35f9aa0352e495196beeb63f1b710f2cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?KMY=EF=BC=88=E9=9B=AA=E3=81=82=E3=81=99=E3=81=8B=EF=BC=89?= Date: Sat, 7 Sep 2024 18:13:01 +0900 Subject: [PATCH 02/20] =?UTF-8?q?Change:=20#831=20=E6=8A=95=E7=A8=BF?= =?UTF-8?q?=E8=A9=B3=E7=B4=B0=E7=94=BB=E9=9D=A2=E3=81=AB=E3=81=8A=E3=81=91?= =?UTF-8?q?=E3=82=8B=E5=BC=95=E7=94=A8=E3=81=AE=E8=A1=A8=E7=A4=BA=20(#839)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../mastodon/features/status/components/detailed_status.jsx | 4 ++++ app/javascript/mastodon/features/status/index.jsx | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/app/javascript/mastodon/features/status/components/detailed_status.jsx b/app/javascript/mastodon/features/status/components/detailed_status.jsx index 5ab0b9472f..06d86ef4fc 100644 --- a/app/javascript/mastodon/features/status/components/detailed_status.jsx +++ b/app/javascript/mastodon/features/status/components/detailed_status.jsx @@ -25,6 +25,7 @@ import { DisplayName } from '../../../components/display_name'; import MediaGallery from '../../../components/media_gallery'; import StatusContent from '../../../components/status_content'; import StatusEmojiReactionsBar from '../../../components/status_emoji_reactions_bar'; +import CompactedStatusContainer from '../../../containers/compacted_status_container'; import Audio from '../../audio'; import scheduleIdleTask from '../../ui/util/schedule_idle_task'; import Video from '../../video'; @@ -323,6 +324,8 @@ class DetailedStatus extends ImmutablePureComponent { const {statusContentProps, hashtagBar} = getHashtagBarForStatus(status); const expanded = !status.get('hidden') || status.get('spoiler_text').length === 0; + const quote = !this.props.muted && status.get('quote_id') && ; + return (
@@ -349,6 +352,7 @@ class DetailedStatus extends ImmutablePureComponent { {media} {hashtagBar} + {quote} {emojiReactionsBar} )} diff --git a/app/javascript/mastodon/features/status/index.jsx b/app/javascript/mastodon/features/status/index.jsx index 6e190b0e7c..8c43c5c8cf 100644 --- a/app/javascript/mastodon/features/status/index.jsx +++ b/app/javascript/mastodon/features/status/index.jsx @@ -156,7 +156,7 @@ const makeMapStateToProps = () => { if (status) { ancestorsIds = getAncestorsIds(state, { id: status.get('in_reply_to_id') }); descendantsIds = getDescendantsIds(state, { id: status.get('id') }); - referenceIds = getReferenceIds(state, { id: status.get('id') }); + referenceIds = getReferenceIds(state, { id: status.get('id') }).filter((id) => id !== status.get('quote_id')); } return { From 1db6f55ba94a9f3715d22e83ae3dc28bb5a1d32b Mon Sep 17 00:00:00 2001 From: KMY Date: Mon, 9 Sep 2024 08:36:38 +0900 Subject: [PATCH 03/20] =?UTF-8?q?Fix:=20=E3=83=97=E3=83=AD=E3=83=95?= =?UTF-8?q?=E3=82=A3=E3=83=BC=E3=83=AB=E8=A8=AD=E5=AE=9A=E3=81=A7=E3=83=95?= =?UTF-8?q?=E3=82=A9=E3=83=AD=E3=83=BC=E6=95=B0=E3=81=AA=E3=81=A9=E3=81=AE?= =?UTF-8?q?=E6=95=B0=E5=AD=97=E3=82=92=E9=9A=A0=E3=81=97=E3=81=A6=E3=81=84?= =?UTF-8?q?=E3=81=A6=E3=82=82=E3=80=81=E8=AA=B0=E3=81=8B=E3=82=92=E3=83=95?= =?UTF-8?q?=E3=82=A9=E3=83=AD=E3=83=BC=E3=81=97=E3=81=9F=E6=99=82=E3=81=AB?= =?UTF-8?q?=E3=83=95=E3=82=A9=E3=83=AD=E3=83=BC=E7=9B=B8=E6=89=8B=E3=81=AB?= =?UTF-8?q?=E3=83=A1=E3=83=BC=E3=83=AB=E3=81=A7=E6=95=B0=E5=AD=97=E3=81=8C?= =?UTF-8?q?=E9=80=9A=E7=9F=A5=E3=81=95=E3=82=8C=E3=82=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/views/application/mailer/_account.html.haml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/app/views/application/mailer/_account.html.haml b/app/views/application/mailer/_account.html.haml index 27493f770d..e9577fa90d 100644 --- a/app/views/application/mailer/_account.html.haml +++ b/app/views/application/mailer/_account.html.haml @@ -20,11 +20,11 @@ %table.email-w-full.email-account-stats-table{ cellspacing: 0, cellpadding: 0, border: 0, role: 'presentation' } %tr %td - %b= account_formatted_stat(account.statuses_count) - %span= t('accounts.posts', count: account.statuses_count) + %b= account.hide_statuses_count? ? '-' : account_formatted_stat(account.public_statuses_count) + %span= t('accounts.posts', count: account.public_statuses_count) %td - %b= account_formatted_stat(account.following_count) + %b= account.hide_following_count? ? '-' : account_formatted_stat(account.public_following_count) %span= t('accounts.following') %td - %b= account_formatted_stat(account.followers_count) - %span= t('accounts.followers', count: account.followers_count) + %b= account.hide_followers_count? ? '-' : account_formatted_stat(account.public_followers_count) + %span= t('accounts.followers', count: account.public_followers_count) From 099182e073025229ec9a55cc2733116ec28ce7bf Mon Sep 17 00:00:00 2001 From: KMY Date: Tue, 10 Sep 2024 06:51:26 +0900 Subject: [PATCH 04/20] =?UTF-8?q?Fix:=20LD=20Signatures=E3=81=A7=E7=BD=B2?= =?UTF-8?q?=E5=90=8D=E3=81=95=E3=82=8C=E3=81=9F=E6=8A=95=E7=A8=BF=E3=81=AE?= =?UTF-8?q?=E6=A4=9C=E7=B4=A2=E8=A8=B1=E5=8F=AF=EF=BC=88=E6=A4=9C=E7=B4=A2?= =?UTF-8?q?=E7=AF=84=E5=9B=B2=EF=BC=89=E3=81=8C=E6=94=B9=E7=AB=84=E3=81=A7?= =?UTF-8?q?=E3=81=8D=E3=82=8B=E5=95=8F=E9=A1=8C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/lib/activitypub/parser/status_parser.rb | 8 ++++---- app/lib/activitypub/tag_manager.rb | 2 +- app/services/activitypub/process_account_service.rb | 2 +- spec/lib/activitypub/activity/create_spec.rb | 13 ++++++++++++- spec/lib/activitypub/tag_manager_spec.rb | 2 +- .../serializers/activitypub/note_serializer_spec.rb | 8 ++++++++ .../activitypub/process_account_service_spec.rb | 10 +++++++++- 7 files changed, 36 insertions(+), 9 deletions(-) diff --git a/app/lib/activitypub/parser/status_parser.rb b/app/lib/activitypub/parser/status_parser.rb index a2ae658874..cc9788e964 100644 --- a/app/lib/activitypub/parser/status_parser.rb +++ b/app/lib/activitypub/parser/status_parser.rb @@ -203,9 +203,9 @@ class ActivityPub::Parser::StatusParser end def searchability_from_audience - if audience_searchable_by.nil? - nil - elsif audience_searchable_by.any? { |uri| ActivityPub::TagManager.instance.public_collection?(uri) } + return nil if audience_searchable_by.blank? + + if audience_searchable_by.any? { |uri| ActivityPub::TagManager.instance.public_collection?(uri) } :public elsif audience_searchable_by.include?('kmyblue:Limited') || audience_searchable_by.include?('as:Limited') :limited @@ -213,7 +213,7 @@ class ActivityPub::Parser::StatusParser :public_unlisted elsif audience_searchable_by.include?(@account.followers_url) :private - else + elsif audience_searchable_by.include?(@account.uri) || audience_searchable_by.include?(@account.url) :direct end end diff --git a/app/lib/activitypub/tag_manager.rb b/app/lib/activitypub/tag_manager.rb index 84e5ea547d..6fe5db3769 100644 --- a/app/lib/activitypub/tag_manager.rb +++ b/app/lib/activitypub/tag_manager.rb @@ -252,7 +252,7 @@ class ActivityPub::TagManager when 'limited' ['as:Limited', 'kmyblue:Limited'] else - [] + [account_url(status.account)] end searchable_by.concat(mentions_uris(status)).compact diff --git a/app/services/activitypub/process_account_service.rb b/app/services/activitypub/process_account_service.rb index 474fad59d5..1440e3d8ae 100644 --- a/app/services/activitypub/process_account_service.rb +++ b/app/services/activitypub/process_account_service.rb @@ -282,7 +282,7 @@ class ActivityPub::ProcessAccountService < BaseService end def searchability_from_audience - if audience_searchable_by.nil? + if audience_searchable_by.blank? bio = searchability_from_bio return bio unless bio.nil? diff --git a/spec/lib/activitypub/activity/create_spec.rb b/spec/lib/activitypub/activity/create_spec.rb index a84eb887a1..03793c4475 100644 --- a/spec/lib/activitypub/activity/create_spec.rb +++ b/spec/lib/activitypub/activity/create_spec.rb @@ -632,7 +632,7 @@ RSpec.describe ActivityPub::Activity::Create do end context 'with direct' do - let(:searchable_by) { '' } + let(:searchable_by) { 'https://example.com/actor' } it 'create status' do status = sender.statuses.first @@ -642,6 +642,17 @@ RSpec.describe ActivityPub::Activity::Create do end end + context 'with empty array' do + let(:searchable_by) { '' } + + it 'create status' do + status = sender.statuses.first + + expect(status).to_not be_nil + expect(status.searchability).to be_nil + end + end + context 'with direct when not specify' do let(:searchable_by) { nil } diff --git a/spec/lib/activitypub/tag_manager_spec.rb b/spec/lib/activitypub/tag_manager_spec.rb index 0d9c23cb5e..2bc7820542 100644 --- a/spec/lib/activitypub/tag_manager_spec.rb +++ b/spec/lib/activitypub/tag_manager_spec.rb @@ -210,7 +210,7 @@ RSpec.describe ActivityPub::TagManager do it 'returns empty array for direct status' do status = Fabricate(:status, searchability: :direct) - expect(subject.searchable_by(status)).to eq [] + expect(subject.searchable_by(status)).to eq ["https://cb6e6126.ngrok.io/users/#{status.account.username}"] end it 'returns as:Limited array for limited status' do diff --git a/spec/serializers/activitypub/note_serializer_spec.rb b/spec/serializers/activitypub/note_serializer_spec.rb index 71e4d33305..f52b2a5104 100644 --- a/spec/serializers/activitypub/note_serializer_spec.rb +++ b/spec/serializers/activitypub/note_serializer_spec.rb @@ -81,6 +81,14 @@ describe ActivityPub::NoteSerializer do end end + context 'when direct searchability' do + let(:searchability) { :direct } + + it 'send as direct searchability' do + expect(subject['searchableBy']).to include "https://cb6e6126.ngrok.io/users/#{account.username}" + end + end + context 'when has a reference' do let(:referred) { Fabricate(:status) } diff --git a/spec/services/activitypub/process_account_service_spec.rb b/spec/services/activitypub/process_account_service_spec.rb index e399daf2a7..5febc49e51 100644 --- a/spec/services/activitypub/process_account_service_spec.rb +++ b/spec/services/activitypub/process_account_service_spec.rb @@ -150,7 +150,7 @@ RSpec.describe ActivityPub::ProcessAccountService do end context 'when direct' do - let(:searchable_by) { '' } + let(:searchable_by) { 'https://foo.test' } it 'searchability is direct' do expect(subject.searchability).to eq 'direct' @@ -173,6 +173,14 @@ RSpec.describe ActivityPub::ProcessAccountService do end end + context 'when empty array' do + let(:searchable_by) { '' } + + it 'searchability is direct' do + expect(subject.searchability).to eq 'direct' + end + end + context 'when default value' do let(:searchable_by) { nil } From 9b9458f4367ff6d27d4349cfc69e6e819edf6740 Mon Sep 17 00:00:00 2001 From: KMY Date: Tue, 10 Sep 2024 07:25:17 +0900 Subject: [PATCH 05/20] Fix account searchability --- app/lib/activitypub/tag_manager.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/lib/activitypub/tag_manager.rb b/app/lib/activitypub/tag_manager.rb index 6fe5db3769..53f0f0c693 100644 --- a/app/lib/activitypub/tag_manager.rb +++ b/app/lib/activitypub/tag_manager.rb @@ -273,7 +273,7 @@ class ActivityPub::TagManager when 'limited' ['as:Limited', 'kmyblue:Limited'] else - [] + [account_url(account)] end end From 69eecdda9cf45bfce8df560c9291aaca2300e054 Mon Sep 17 00:00:00 2001 From: Claire Date: Thu, 12 Sep 2024 15:24:19 +0200 Subject: [PATCH 06/20] Change form-action Content-Security-Policy directive to be more restrictive (#26897) --- .../concerns/web_app_controller_concern.rb | 10 ++++++++ app/lib/content_security_policy.rb | 16 +++++++++++++ .../initializers/content_security_policy.rb | 24 +++---------------- spec/requests/content_security_policy_spec.rb | 2 +- 4 files changed, 30 insertions(+), 22 deletions(-) diff --git a/app/controllers/concerns/web_app_controller_concern.rb b/app/controllers/concerns/web_app_controller_concern.rb index b8c909877b..e1f599dcb0 100644 --- a/app/controllers/concerns/web_app_controller_concern.rb +++ b/app/controllers/concerns/web_app_controller_concern.rb @@ -8,6 +8,16 @@ module WebAppControllerConcern before_action :redirect_unauthenticated_to_permalinks! before_action :set_app_body_class + + content_security_policy do |p| + policy = ContentSecurityPolicy.new + + if policy.sso_host.present? + p.form_action policy.sso_host + else + p.form_action :none + end + end end def skip_csrf_meta_tags? diff --git a/app/lib/content_security_policy.rb b/app/lib/content_security_policy.rb index 210f37cea0..0b60b0d98c 100644 --- a/app/lib/content_security_policy.rb +++ b/app/lib/content_security_policy.rb @@ -13,6 +13,22 @@ class ContentSecurityPolicy [assets_host, cdn_host_value, paperclip_root_url].compact end + def sso_host + return unless ENV['ONE_CLICK_SSO_LOGIN'] == 'true' && ENV['OMNIAUTH_ONLY'] == 'true' && Devise.omniauth_providers.length == 1 + + provider = Devise.omniauth_configs[Devise.omniauth_providers[0]] + @sso_host ||= begin + case provider.provider + when :cas + provider.cas_url + when :saml + provider.options[:idp_sso_target_url] + when :openid_connect + provider.options.dig(:client_options, :authorization_endpoint) || OpenIDConnect::Discovery::Provider::Config.discover!(provider.options[:issuer]).authorization_endpoint + end + end + end + private def url_from_configured_asset_host diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index e43e38786c..2940cb9740 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -12,24 +12,6 @@ policy = ContentSecurityPolicy.new assets_host = policy.assets_host media_hosts = policy.media_hosts -def sso_host - return unless ENV['ONE_CLICK_SSO_LOGIN'] == 'true' - return unless ENV['OMNIAUTH_ONLY'] == 'true' - return unless Devise.omniauth_providers.length == 1 - - provider = Devise.omniauth_configs[Devise.omniauth_providers[0]] - @sso_host ||= begin - case provider.provider - when :cas - provider.cas_url - when :saml - provider.options[:idp_sso_target_url] - when :openid_connect - provider.options.dig(:client_options, :authorization_endpoint) || OpenIDConnect::Discovery::Provider::Config.discover!(provider.options[:issuer]).authorization_endpoint - end - end -end - Rails.application.config.content_security_policy do |p| p.base_uri :none p.default_src :none @@ -41,10 +23,10 @@ Rails.application.config.content_security_policy do |p| p.frame_src :self, :https p.manifest_src :self, assets_host - if sso_host.present? - p.form_action :self, sso_host + if policy.sso_host.present? + p.form_action :self, policy.sso_host else - p.form_action :self + p.form_action :self end p.child_src :self, :blob, assets_host diff --git a/spec/requests/content_security_policy_spec.rb b/spec/requests/content_security_policy_spec.rb index ba6fe47741..f6303b340f 100644 --- a/spec/requests/content_security_policy_spec.rb +++ b/spec/requests/content_security_policy_spec.rb @@ -26,7 +26,7 @@ describe 'Content-Security-Policy' do connect-src 'self' data: blob: https://cb6e6126.ngrok.io #{Rails.configuration.x.streaming_api_base_url} default-src 'none' font-src 'self' https://cb6e6126.ngrok.io - form-action 'self' + form-action 'none' frame-ancestors 'none' frame-src 'self' https: img-src 'self' data: blob: https://cb6e6126.ngrok.io From 75b595e63b512492913a16638121e573a705f0b2 Mon Sep 17 00:00:00 2001 From: David Roetzel Date: Tue, 17 Sep 2024 16:59:29 +0200 Subject: [PATCH 07/20] Merge commit from fork Co-authored-by: Eugen Rochko --- app/javascript/mastodon/reducers/accounts_map.js | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/app/javascript/mastodon/reducers/accounts_map.js b/app/javascript/mastodon/reducers/accounts_map.js index 9053dcc9c0..d1229169cc 100644 --- a/app/javascript/mastodon/reducers/accounts_map.js +++ b/app/javascript/mastodon/reducers/accounts_map.js @@ -4,11 +4,10 @@ import { ACCOUNT_LOOKUP_FAIL } from '../actions/accounts'; import { importAccounts } from '../actions/accounts_typed'; import { domain } from '../initial_state'; -export const normalizeForLookup = str => { - str = str.toLowerCase(); - const trailingIndex = str.indexOf(`@${domain.toLowerCase()}`); - return (trailingIndex > 0) ? str.slice(0, trailingIndex) : str; -}; +const pattern = new RegExp(`@${domain}$`, 'gi'); + +export const normalizeForLookup = str => + str.toLowerCase().replace(pattern, ''); const initialState = ImmutableMap(); From 30d0055e44d8b9688ed08b5e69a5bb1ac17381cd Mon Sep 17 00:00:00 2001 From: Claire Date: Tue, 17 Sep 2024 17:42:45 +0200 Subject: [PATCH 08/20] Bump version to 4.3.0-beta.2 (#31948) --- CHANGELOG.md | 60 ++++++++++++++++++++++++++++++----------- docker-compose.yml | 6 ++--- lib/mastodon/version.rb | 2 +- 3 files changed, 49 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 02ac2898dd..8d1e0bfcf7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,21 +10,24 @@ The following changelog entries focus on changes visible to users, administrator - **Add confirmation interstitial instead of silently redirecting logged-out visitors to remote resources** (#27792, #28902, and #30651 by @ClearlyClaire and @Gargron)\ This fixes a longstanding open redirect in Mastodon, at the cost of added friction when local links to remote resources are shared. +- Change `form-action` Content-Security-Policy directive to be more restrictive (#26897 by @ClearlyClaire) +- Update dependencies ### Added -- **Add experimental server-side notification grouping** (#29889, #30576, #30685, #30688, #30707, #30776, #30779, #30781, #30440, #31062, #31098, #31076, #31111, #31123, #31223, #31214, #31224, #31299, #31325, #31347, #31304, #31326, #31384, #31403, #31433, #31509, #31486, and #31513 by @ClearlyClaire, @mgmn, and @renchap)\ +- **Add server-side notification grouping** (#29889, #30576, #30685, #30688, #30707, #30776, #30779, #30781, #30440, #31062, #31098, #31076, #31111, #31123, #31223, #31214, #31224, #31299, #31325, #31347, #31304, #31326, #31384, #31403, #31433, #31509, #31486, #31513, #31592, #31594, #31638, #31746, #31652, #31709, #31725, #31745, #31613, #31657, #31840, #31610 and #31929 by @ClearlyClaire, @Gargron, @mgmn, and @renchap)\ Group notifications of the same type for the same target, so that your notifications no longer get cluttered by boost and favorite notifications as soon as a couple of your posts get traction.\ This is done server-side so that clients can efficiently get relevant groups without having to go through numerous pages of individual notifications.\ As part of this, the visual design of the entire notifications feature has been revamped.\ This feature is intended to eventually replace the existing notifications column, but for this first beta, users will have to enable it in the “Experimental features” section of the notifications column settings.\ The API is not final yet, but it consists of: - a new `group_key` attribute to `Notification` entities - - `GET /api/v2_alpha/notifications`: https://docs.joinmastodon.org/methods/notifications_alpha/#get-grouped - - `GET /api/v2_alpha/notifications/:group_key`: https://docs.joinmastodon.org/methods/notifications_alpha/#get-notification-group - - `POST /api/v2_alpha/notifications/:group_key/dimsiss`: https://docs.joinmastodon.org/methods/notifications_alpha/#dismiss-group - - `GET /api/v2_alpha/notifications/:unread_count`: https://docs.joinmastodon.org/methods/notifications_alpha/#unread-group-count -- **Add notification policies, filtered notifications and notification requests** (#29366, #29529, #29433, #29565, #29567, #29572, #29575, #29588, #29646, #29652, #29658, #29666, #29693, #29699, #29737, #29706, #29570, #29752, #29810, #29826, #30114, #30251, #30559, #29868, #31008, #31011, #30996, #31149, #31220, #31222, #31225, #31242, #31262, #31250, #31273, #31310, #31316, #31322, #31329, #31324, #31331, #31343, #31342, #31309, #31358, #31378, #31406, #31256, #31456, #31419, #31457, #31508, #31540, and #31541 by @ClearlyClaire, @Gargron, @TheEssem, @mgmn, @oneiros, and @renchap)\ + - `GET /api/v2/notifications`: https://docs.joinmastodon.org/methods/grouped_notifications/#get-grouped + - `GET /api/v2/notifications/:group_key`: https://docs.joinmastodon.org/methods/grouped_notifications/#get-notification-group + - `GET /api/v2/notifications/:group_key/accounts`: https://docs.joinmastodon.org/methods/grouped_notifications/#get-group-accounts + - `POST /api/v2/notifications/:group_key/dimsiss`: https://docs.joinmastodon.org/methods/grouped_notifications/#dismiss-group + - `GET /api/v2/notifications/:unread_count`: https://docs.joinmastodon.org/methods/grouped_notifications/#unread-group-count +- **Add notification policies, filtered notifications and notification requests** (#29366, #29529, #29433, #29565, #29567, #29572, #29575, #29588, #29646, #29652, #29658, #29666, #29693, #29699, #29737, #29706, #29570, #29752, #29810, #29826, #30114, #30251, #30559, #29868, #31008, #31011, #30996, #31149, #31220, #31222, #31225, #31242, #31262, #31250, #31273, #31310, #31316, #31322, #31329, #31324, #31331, #31343, #31342, #31309, #31358, #31378, #31406, #31256, #31456, #31419, #31457, #31508, #31540, #31541, and #31723 by @ClearlyClaire, @Gargron, @TheEssem, @mgmn, @oneiros, and @renchap)\ The old “Block notifications from non-followers”, “Block notifications from people you don't follow” and “Block direct messages from people you don't follow” notification settings have been replaced by a new set of settings found directly in the notification column.\ You can now separately filter or drop notifications from people you don't follow, people who don't follow you, accounts created within the past 30 days, as well as unsolicited private mentions, and accounts limited by the moderation.\ Instead of being outright dropped, notifications that you chose to filter are put in a separate “Filtered notifications” box that you can review separately without it clogging your main notifications.\ @@ -57,19 +60,22 @@ The following changelog entries focus on changes visible to users, administrator - **Add timeline of public posts about a trending link** (#30381 and #30840 by @Gargron)\ You can now see public posts mentioning currently-trending articles from people who have opted into discovery features.\ This adds a new REST API endpoint: https://docs.joinmastodon.org/methods/timelines/#link -- **Add author highlight for news articles whose authors are on the fediverse** (#30398, #30670, #30521, and #30846 by @Gargron)\ +- **Add author highlight for news articles whose authors are on the fediverse** (#30398, #30670, #30521, #30846, #31819, and #31900 by @Gargron and @oneiros)\ This adds a mechanism to [highlight the author of news articles](https://blog.joinmastodon.org/2024/07/highlighting-journalism-on-mastodon/) shared on Mastodon.\ Articles hosted outside the fediverse can indicate a fediverse author with a meta tag: ```html ``` On the API side, this is represented by a new `authors` attribute to the `PreviewCard` entity: https://docs.joinmastodon.org/entities/PreviewCard/#authors\ - Note that this feature is still work in progress and the tagging format and verification mechanisms may change in future releases. + Users can allow arbitrary domains to use `fediverse:creator` to credit them by visiting `/settings/verification`.\ + This is federated as a new `attributionDomains` property in the `http://joinmastodon.org/ns` namespace, containing an array of domain names: https://docs.joinmastodon.org/spec/activitypub/#properties-used-1 - **Add in-app notifications for moderation actions and warnings** (#30065, #30082, and #30081 by @ClearlyClaire)\ In addition to email notifications, also notify users of moderation actions or warnings against them directly within the app, so they are less likely to miss important communication from their moderators.\ This adds the `moderation_warning` notification type to the REST API and streaming, with a new [`moderation_warning` attribute](https://docs.joinmastodon.org/entities/Notification/#moderation_warning). - **Add domain information to profiles in web UI** (#29602 by @Gargron)\ Clicking the domain of a user in their profile will now open a tooltip with a short explanation about servers and federation. +- **Add support for Redis sentinel** (#31694, #31623, #31744, #31767, and #31768 by @ThisIsMissEm and @oneiros)\ + See https://docs.joinmastodon.org/admin/scaling/#redis-sentinel - Add ability to reorder uploaded media before posting in web UI (#28456 by @Gargron) - Add moderation interface for searching hashtags (#30880 by @ThisIsMissEm) - Add ability for admins to configure instance favicon and logo (#30040, #30208, #30259, #30375, #30734, #31016, and #30205 by @ClearlyClaire, @FawazFarid, @JasonPunyon, @mgmn, and @renchap)\ @@ -77,6 +83,8 @@ The following changelog entries focus on changes visible to users, administrator - Add `api_versions` to `/api/v2/instance` (#31354 by @ClearlyClaire)\ Add API version number to make it easier for clients to detect compatible features going forward.\ See API documentation at https://docs.joinmastodon.org/entities/Instance/#api-versions +- Add quick links to Administration and Moderation Reports from Web UI (#24838 by @ThisIsMissEm) +- Add link to `/admin/roles` in moderation interface when changing someone's role (#31791 by @ClearlyClaire) - Add recent audit log entries in federation moderation interface (#27386 by @ThisIsMissEm) - Add profile setup to onboarding in web UI (#27829, #27876, and #28453 by @Gargron) - Add prominent share/copy button on profiles in web UI (#27865 and #27889 by @ClearlyClaire and @Gargron) @@ -113,21 +121,24 @@ The following changelog entries focus on changes visible to users, administrator - Add support for multiple `redirect_uris` when creating OAuth 2.0 Applications (#29192 by @ThisIsMissEm) - Add Interlingue and Interlingua to interface languages (#28630 and #30828 by @Dhghomon and @renchap) - Add Kashubian, Pennsylvania Dutch, Vai, Jawi Malay, Mohawk and Low German to posting languages (#26024, #26634, #27136, #29098, #27115, and #27434 by @EngineerDali, @HelgeKrueger, and @gunchleoc) -- Add validations to `Web::PushSubscription` (#30540 and #30542 by @ThisIsMissEm) - Add option to use native Ruby driver for Redis through `REDIS_DRIVER=ruby` (#30717 by @vmstan) - Add support for libvips in addition to ImageMagick (#30090, #30590, #30597, #30632, #30857, #30869, and #30858 by @ClearlyClaire, @Gargron, and @mjankowski)\ Server admins can now use libvips as a faster and lighter alternative to ImageMagick for processing user-uploaded images.\ This requires libvips 8.13 or newer, and needs to be enabled with `MASTODON_USE_LIBVIPS=true`.\ This is enabled by default in the official Docker images, and is intended to completely replace ImageMagick in the future. +- Add validations to `Web::PushSubscription` (#30540 and #30542 by @ThisIsMissEm) +- Add anchors to each authorized application in `/oauth/authorized_applications` (#31677 by @fowl2) - Add active animation to header settings button (#30221, #30307, and #30388 by @daudix) - Add OpenTelemetry instrumentation (#30130, #30322, #30353, and #30350 by @julianocosta89, @renchap, and @robbkidd)\ See https://docs.joinmastodon.org/admin/config/#otel for documentation - Add API to get multiple accounts and statuses (#27871 and #30465 by @ClearlyClaire)\ This adds `GET /api/v1/accounts` and `GET /api/v1/statuses` to the REST API, see https://docs.joinmastodon.org/methods/accounts/#index and https://docs.joinmastodon.org/methods/statuses/#index +- Add support for CORS to `POST /oauth/revoke` (#31743 by @ClearlyClaire) - Add redirection back to previous page after site upload deletion (#30141 by @FawazFarid) - Add RFC8414 OAuth 2.0 server metadata (#29191 by @ThisIsMissEm) - Add loading indicator and empty result message to advanced interface search (#30085 by @ClearlyClaire) - Add `profile` OAuth 2.0 scope, allowing more limited access to user data (#29087 and #30357 by @ThisIsMissEm) +- Add global Regexp timeout (#31928 by @ClearlyClaire) - Add the role ID to the badge component (#29707 by @renchap) - Add diagnostic message for failure during CLI search deploy (#29462 by @mjankowski) - Add pagination `Link` headers on API accounts/statuses when pinned true (#29442 by @mjankowski) @@ -156,14 +167,14 @@ The following changelog entries focus on changes visible to users, administrator - **Change icons throughout the web interface** (#27385, #27539, #27555, #27579, #27700, #27817, #28519, #28709, #28064, #28775, #28780, #27924, #29294, #29395, #29537, #29569, #29610, #29612, #29649, #29844, #27780, #30974, #30963, #30962, #30961, #31362, #31363, #31359, #31371, #31360, #31512, #31511, and #31525 by @ClearlyClaire, @Gargron, @arbolitoloco1, @mjankowski, @nclm, @renchap, @ronilaukkarinen, and @zunda)\ This changes all the interface icons from FontAwesome to Material Symbols for a more modern look, consistent with the official Mastodon Android app.\ In addition, better care is given to pixel alignment, and icon variants are used to better highlight active/inactive state. -- **Change design of compose form in web UI** (#28119, #29059, #29248, #29372, #29384, #29417, #29456, #29406, #29651, and #29659 by @ClearlyClaire, @Gargron, @eai04191, @hinaloe, and @ronilaukkarinen)\ +- **Change design of compose form in web UI** (#28119, #29059, #29248, #29372, #29384, #29417, #29456, #29406, #29651, #29659, and #31889 by @ClearlyClaire, @Gargron, @eai04191, @hinaloe, and @ronilaukkarinen)\ The compose form has been completely redesigned for a more modern and consistent look, as well as spelling out the chosen privacy setting and language name at all times.\ As part of this, the “Unlisted” privacy setting has been renamed to “Quiet public”. -- **Change design of confirmation modals in the web UI** (#29576, #29614, #29640, #29644, #30131, #30884, and #31399 by @ClearlyClaire, @Gargron, and @tribela)\ +- **Change design of modals in the web UI** (#29576, #29614, #29640, #29644, #30131, #30884, #31399, #31555, #31752, #31801, #31883, #31844, #31864, and #31943 by @ClearlyClaire, @Gargron, @tribela and @vmstan)\ The mute, block, and domain block confirmation modals have been completely redesigned to be clearer and include more detailed information on the action to be performed.\ They also have a more modern and consistent design, along with other confirmation modals in the application. - **Change colors throughout the web UI** (#29522, #29584, #29653, #29779, #29803, #29809, #29808, #29828, #31034, #31168, #31266, #31348, #31349, #31361, and #31510 by @ClearlyClaire, @Gargron, @renchap, and @vmstan) -- **Change onboarding prompt to follow suggestions carousel in web UI** (#28878 and #29272 by @Gargron) +- **Change onboarding prompt to follow suggestions carousel in web UI** (#28878, #29272, and #31912 by @Gargron) - **Change email templates** (#28416, #28755, #28814, #29064, #28883, #29470, #29607, #29761, #29760, and #29879 by @ClearlyClaire, @Gargron, @hteumeuleu, and @mjankowski)\ All emails to end-users have been completely redesigned with a fresh new look, providing more information while making them easier to read and keeping maximum compatibility across mail clients. - **Change follow recommendations algorithm** (#28314, #28433, #29017, #29108, #29306, #29550, #29619, and #31474 by @ClearlyClaire, @Gargron, @kernal053, @mjankowski, and @wheatear-dev)\ @@ -171,19 +182,28 @@ The following changelog entries focus on changes visible to users, administrator In addition, the implementation has been significantly reworked, and all follow recommendations are now dismissable.\ This change deprecates the `source` attribute in `Suggestion` entities in the REST API, and replaces it with the new [`sources` attribute](https://docs.joinmastodon.org/entities/Suggestion/#sources). - Change account search algorithm (#30803 by @Gargron) -- **Change streaming server to use its own dependencies and its own docker image** (#24702, #27967, #26850, #28112, #28115, #28137, #28138, #28497, #28548, and #30795 by @TheEssem, @ThisIsMissEm, @jippi, @timetinytim, and @vmstan)\ +- **Change streaming server to use its own dependencies and its own docker image** (#24702, #27967, #26850, #28112, #28115, #28137, #28138, #28497, #28548, #30795, #31612, and #31615 by @TheEssem, @ThisIsMissEm, @jippi, @renchap, @timetinytim, and @vmstan)\ In order to reduce the amount of runtime dependencies, the streaming server has been moved into a separate package and Docker image.\ The `mastodon` image does not contain the streaming server anymore, as it has been moved to its own `mastodon-streaming` image.\ Administrators may need to update their setup accordingly. -- Change how content warnings and filters are displayed in web UI (#31365 by @Gargron) +- Change how content warnings and filters are displayed in web UI (#31365, and #31761 by @Gargron) +- Change preview card processing to ignore `undefined` as canonical url (#31882 by @oneiros) +- Change embedded posts to use web UI (#31766 by @Gargron) +- Change inner borders in media galleries in web UI (#31852 by @Gargron) +- Change design of hide media button in web UI (#31807 by @Gargron) +- Change labels on thread indicators in web UI (#31806 by @Gargron) +- Change report action buttons to be disabled when action has already been taken (#31773, #31822, and #31899 by @ClearlyClaire and @ThisIsMissEm) +- Change width of columns in advanced web UI (#31762 by @Gargron) +- Change design of unread conversations in web UI (#31763 by @Gargron) - Change Web UI to allow viewing and severing relationships with suspended accounts (#27667 by @ClearlyClaire)\ This also adds a `with_suspended` parameter to `GET /api/v1/accounts/relationships` in the REST API. +- Change preview card image size limit from 2MB to 8MB when using libvips (#31904 by @ClearlyClaire) - Change avatars border radius (#31390 by @renchap) - Change counters to be displayed on profile timelines in web UI (#30525 by @Gargron) - Change disabled buttons color in light mode to make the difference more visible (#30998 by @renchap) - Change design of people tab on explore in web UI (#30059 by @Gargron) - Change sidebar text in web UI (#30696 by @Gargron) -- Change "Follow" to "Follow back" and "Mutual" when appropriate in web UI (#28452 and #28465 by @Gargron and @renchap) +- Change "Follow" to "Follow back" and "Mutual" when appropriate in web UI (#28452, #28465, and #31934 by @ClearlyClaire, @Gargron and @renchap) - Change media to be hidden/blurred by default in report modal (#28522 by @ClearlyClaire) - Change order of the "muting" and "blocking" list options in “Data Exports” (#26088 by @fixermark) - Change admin and moderation notes character limit from 500 to 2000 characters (#30288 by @ThisIsMissEm) @@ -197,6 +217,7 @@ The following changelog entries focus on changes visible to users, administrator - Change dropdown menu icon to not be replaced by close icon when open in web UI (#29532 by @Gargron) - Change back button to always appear in advanced web UI (#29551 and #29669 by @Gargron) - Change border of active compose field search inputs (#29832 and #29839 by @vmstan) +- Change instances of Nokogiri HTML4 parsing to HTML5 (#31812, #31815, #31813, and #31814 by @flavorjones) - Change link detection to allow `@` at the end of an URL (#31124 by @adamniedzielski) - Change User-Agent to use Mastodon as the product, and http.rb as platform details (#31192 by @ClearlyClaire) - Change layout and wording of the Content Retention server settings page (#27733 by @vmstan) @@ -249,8 +270,17 @@ The following changelog entries focus on changes visible to users, administrator - Fix various issues when in link preview card generation (#28748, #30017, #30362, #30173, #30853, #30929, #30933, #30957, #30987, and #31144 by @adamniedzielski, @oneiros, @phocks, @timothyjrogers, and @tribela) - Fix handling of missing links in Webfinger responses (#31030 by @adamniedzielski) - Fix HTTP 500 error in `/api/v1/polls/:id/votes` when required `choices` parameter is missing (#25598 by @danielmbrasil) +- Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire) - Fix cross-origin loading of `inert.css` polyfill (#30687 by @louis77) - Fix cutoff of instance name in sign-up form (#30598 by @oneiros) +- Fix invalid date searches returning 503 errors (#31526 by @notchairmk) +- Fix invalid `visibility` values in `POST /api/v1/statuses` returning 500 errors (#31571 by @c960657) +- Fix some components re-rendering spuriously in web UI (#31879 and #31881 by @ClearlyClaire and @Gargron) +- Fix sort order of moderation notes on Reports and Accounts (#31528 by @ThisIsMissEm) +- Fix email language when recipient has no selected locale (#31747 by @ClearlyClaire) +- Fix frequently-used languages not correctly updating in the web UI (#31386 by @c960657) +- Fix `POST /api/v1/statuses` silently ignoring invalid `media_ids` parameter (#31681 by @c960657) +- Fix handling of the `BIND` environment variable in the streaming server (#31624 by @ThisIsMissEm) - Fix empty `aria-hidden` attribute value in logo resources area (#30570 by @mjankowski) - Fix “Redirect URI” field not being marked as required in “New application” form (#30311 by @ThisIsMissEm) - Fix right-to-left text in preview cards (#30930 by @ClearlyClaire) diff --git a/docker-compose.yml b/docker-compose.yml index 8053b436ce..c4e8cb7374 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -59,7 +59,7 @@ services: web: # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes # build: . - image: ghcr.io/mastodon/mastodon:v4.3.0-beta.1 + image: ghcr.io/mastodon/mastodon:v4.3.0-beta.2 restart: always env_file: .env.production command: bundle exec puma -C config/puma.rb @@ -83,7 +83,7 @@ services: # build: # dockerfile: ./streaming/Dockerfile # context: . - image: ghcr.io/mastodon/mastodon-streaming:v4.3.0-beta.1 + image: ghcr.io/mastodon/mastodon-streaming:v4.3.0-beta.2 restart: always env_file: .env.production command: node ./streaming/index.js @@ -101,7 +101,7 @@ services: sidekiq: build: . - image: ghcr.io/mastodon/mastodon:v4.3.0-beta.1 + image: ghcr.io/mastodon/mastodon:v4.3.0-beta.2 restart: always env_file: .env.production command: bundle exec sidekiq diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb index 7f7330961f..a52589b787 100644 --- a/lib/mastodon/version.rb +++ b/lib/mastodon/version.rb @@ -31,7 +31,7 @@ module Mastodon end def default_prerelease - 'beta.1' + 'beta.2' end def prerelease From 9280e4e1b3f8da8f91f81f6016504665e8c099a0 Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 16 Sep 2024 10:48:13 +0200 Subject: [PATCH 09/20] Update dependencies omniauth-saml, ruby-xml and ruby-saml (#31926) --- Gemfile.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 78fd21b4e8..738ca0fd7e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -470,9 +470,9 @@ GEM omniauth-rails_csrf_protection (1.0.2) actionpack (>= 4.2) omniauth (~> 2.0) - omniauth-saml (2.1.0) - omniauth (~> 2.0) - ruby-saml (~> 1.12) + omniauth-saml (2.2.1) + omniauth (~> 2.1) + ruby-saml (~> 1.17) omniauth_openid_connect (0.6.1) omniauth (>= 1.9, < 3) openid_connect (~> 1.1) @@ -763,7 +763,7 @@ GEM rubocop-rspec (~> 3, >= 3.0.1) ruby-prof (1.7.0) ruby-progressbar (1.13.0) - ruby-saml (1.16.0) + ruby-saml (1.17.0) nokogiri (>= 1.13.10) rexml ruby-vips (2.2.2) From ba7bd3946b24b1aaa55e554bbf4865ff33564e02 Mon Sep 17 00:00:00 2001 From: KMY Date: Wed, 18 Sep 2024 08:14:45 +0900 Subject: [PATCH 10/20] Bump version to 14.1 --- lib/mastodon/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb index a52589b787..fd6eb9325e 100644 --- a/lib/mastodon/version.rb +++ b/lib/mastodon/version.rb @@ -9,7 +9,7 @@ module Mastodon end def kmyblue_minor - 0 + 1 end def kmyblue_flag From c92eb63b11e6f8cbe6797e2e2a8cfec8e7ddcf81 Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 30 Sep 2024 12:25:54 +0200 Subject: [PATCH 11/20] Merge commit from fork This should not change the set of words matched by `USERNAME_RE` but does change the one matched by `MENTION_RE`. Indeed, the previous regexp allowed a domain part to start with `.` or `-`, which the new regexp does not allow. --- app/models/account.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/models/account.rb b/app/models/account.rb index 24ce72d235..694c9000eb 100644 --- a/app/models/account.rb +++ b/app/models/account.rb @@ -71,8 +71,8 @@ class Account < ApplicationRecord DEFAULT_FIELDS_SIZE = 6 INSTANCE_ACTOR_ID = -99 - USERNAME_RE = /[a-z0-9_]+([a-z0-9_.-]+[a-z0-9_]+)?/i - MENTION_RE = %r{(? Date: Fri, 27 Sep 2024 14:31:00 +0200 Subject: [PATCH 12/20] Fix bundler-audit --- .bundler-audit.yml | 10 ++++++++++ Gemfile.lock | 10 +++++----- 2 files changed, 15 insertions(+), 5 deletions(-) create mode 100644 .bundler-audit.yml diff --git a/.bundler-audit.yml b/.bundler-audit.yml new file mode 100644 index 0000000000..c867b1abf0 --- /dev/null +++ b/.bundler-audit.yml @@ -0,0 +1,10 @@ +--- +ignore: + # devise-two-factor advisory about brute-forcing TOTP + # We have rate-limits on authentication endpoints in place (including second + # factor verification) since Mastodon v3.2.0 + - CVE-2024-0227 + # devise-two-factor advisory about generated secrets being weaker than expected + # We call `generate_otp_secret` ourselves with a requested length of 32 characters, + # which exceeds the recommended remediation of 26 characters, so we're safe + - CVE-2024-8796 diff --git a/Gemfile.lock b/Gemfile.lock index 738ca0fd7e..b79d0dad1d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -290,9 +290,9 @@ GEM ruby-progressbar (~> 1.4) globalid (1.2.1) activesupport (>= 6.1) - google-protobuf (3.25.4) + google-protobuf (3.25.5) googleapis-common-protos-types (1.15.0) - google-protobuf (>= 3.18, < 5.a) + google-protobuf (>= 3.25.5, < 5.a) haml (6.3.0) temple (>= 0.8.2) thor @@ -494,7 +494,7 @@ GEM opentelemetry-common (0.21.0) opentelemetry-api (~> 1.0) opentelemetry-exporter-otlp (0.29.0) - google-protobuf (>= 3.18) + google-protobuf (>= 3.25.5) googleapis-common-protos-types (~> 1.3) opentelemetry-api (~> 1.1) opentelemetry-common (~> 0.20) @@ -607,7 +607,7 @@ GEM psych (5.1.2) stringio public_suffix (6.0.1) - puma (6.4.2) + puma (6.4.3) nio4r (~> 2.0) pundit (2.4.0) activesupport (>= 3.0.0) @@ -892,7 +892,7 @@ GEM rack-proxy (>= 0.6.1) railties (>= 5.2) semantic_range (>= 2.3.0) - webrick (1.8.1) + webrick (1.8.2) websocket (1.2.11) websocket-driver (0.7.6) websocket-extensions (>= 0.1.0) From 5db2174f0f5590defba797c17ab24fe26b583c49 Mon Sep 17 00:00:00 2001 From: KMY Date: Mon, 30 Sep 2024 21:46:22 +0900 Subject: [PATCH 13/20] Fix test --- Gemfile.lock | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index b79d0dad1d..ff98da28cc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -290,9 +290,11 @@ GEM ruby-progressbar (~> 1.4) globalid (1.2.1) activesupport (>= 6.1) - google-protobuf (3.25.5) - googleapis-common-protos-types (1.15.0) - google-protobuf (>= 3.25.5, < 5.a) + google-protobuf (4.28.2) + bigdecimal + rake (>= 13) + googleapis-common-protos-types (1.16.0) + google-protobuf (>= 3.18, < 5.a) haml (6.3.0) temple (>= 0.8.2) thor From 72ee2860370bfc04c48c601c142f9efcd00a2fb8 Mon Sep 17 00:00:00 2001 From: KMY Date: Mon, 30 Sep 2024 21:48:32 +0900 Subject: [PATCH 14/20] Fix test --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index ff98da28cc..2fd7c3ad2b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -496,7 +496,7 @@ GEM opentelemetry-common (0.21.0) opentelemetry-api (~> 1.0) opentelemetry-exporter-otlp (0.29.0) - google-protobuf (>= 3.25.5) + google-protobuf (>= 3.18) googleapis-common-protos-types (~> 1.3) opentelemetry-api (~> 1.1) opentelemetry-common (~> 0.20) From 99d66c1e29497be9602fc1d0969d5277971003ac Mon Sep 17 00:00:00 2001 From: Claire Date: Fri, 20 Sep 2024 16:58:06 +0200 Subject: [PATCH 15/20] Fix issue when encountering reblog of deleted post in feed rebuild (#32001) --- app/lib/feed_manager.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/lib/feed_manager.rb b/app/lib/feed_manager.rb index 12f2b9a20f..4ad166fcd3 100644 --- a/app/lib/feed_manager.rb +++ b/app/lib/feed_manager.rb @@ -598,7 +598,7 @@ class FeedManager arr = crutches[:active_mentions][s.id] || [] arr.push(s.account_id) - if s.reblog? + if s.reblog? && s.reblog.present? arr.push(s.reblog.account_id) arr.concat(crutches[:active_mentions][s.reblog_of_id] || []) end From d72c8dc7773e24cec5288cd8036e94910adfe69e Mon Sep 17 00:00:00 2001 From: Claire Date: Thu, 12 Sep 2024 14:58:12 +0200 Subject: [PATCH 16/20] Fix security context sometimes not being added in LD-Signed activities (#31871) --- app/lib/activitypub/linked_data_signature.rb | 9 ++++++++- spec/lib/activitypub/linked_data_signature_spec.rb | 9 ++------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/app/lib/activitypub/linked_data_signature.rb b/app/lib/activitypub/linked_data_signature.rb index 9459fdd8b7..c42313b05e 100644 --- a/app/lib/activitypub/linked_data_signature.rb +++ b/app/lib/activitypub/linked_data_signature.rb @@ -4,6 +4,7 @@ class ActivityPub::LinkedDataSignature include JsonLdHelper CONTEXT = 'https://w3id.org/identity/v1' + SIGNATURE_CONTEXT = 'https://w3id.org/security/v1' def initialize(json) @json = json.with_indifferent_access @@ -46,7 +47,13 @@ class ActivityPub::LinkedDataSignature signature = Base64.strict_encode64(keypair.sign(OpenSSL::Digest.new('SHA256'), to_be_signed)) - @json.merge('signature' => options.merge('signatureValue' => signature)) + # Mastodon's context is either an array or a single URL + context_with_security = Array(@json['@context']) + context_with_security << 'https://w3id.org/security/v1' + context_with_security.uniq! + context_with_security = context_with_security.first if context_with_security.size == 1 + + @json.merge('signature' => options.merge('signatureValue' => signature), '@context' => context_with_security) end private diff --git a/spec/lib/activitypub/linked_data_signature_spec.rb b/spec/lib/activitypub/linked_data_signature_spec.rb index 1af45673c0..b1a8dc5c49 100644 --- a/spec/lib/activitypub/linked_data_signature_spec.rb +++ b/spec/lib/activitypub/linked_data_signature_spec.rb @@ -95,16 +95,11 @@ RSpec.describe ActivityPub::LinkedDataSignature do describe '#sign!' do subject { described_class.new(raw_json).sign!(sender) } - it 'returns a hash' do + it 'returns a hash with a signature, the expected context, and the signature can be verified', :aggregate_failures do expect(subject).to be_a Hash - end - - it 'contains signature' do expect(subject['signature']).to be_a Hash expect(subject['signature']['signatureValue']).to be_present - end - - it 'can be verified again' do + expect(Array(subject['@context'])).to include('https://w3id.org/security/v1') expect(described_class.new(subject).verify_actor!).to eq sender end end From 6a2342d8af03cf441698f0301a985e997f81c6e5 Mon Sep 17 00:00:00 2001 From: Claire Date: Fri, 20 Sep 2024 12:10:09 +0200 Subject: [PATCH 17/20] Change Mastodon to issue correctly-signed queries by default (#31994) --- app/lib/request.rb | 2 +- app/services/activitypub/fetch_replies_service.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/lib/request.rb b/app/lib/request.rb index ab42e82300..d7da9fe63c 100644 --- a/app/lib/request.rb +++ b/app/lib/request.rb @@ -77,7 +77,7 @@ class Request @url = Addressable::URI.parse(url).normalize @http_client = options.delete(:http_client) @allow_local = options.delete(:allow_local) - @full_path = options.delete(:with_query_string) + @full_path = !options.delete(:omit_query_string) @options = options.merge(socket_class: use_proxy? || @allow_local ? ProxySocket : Socket) @options = @options.merge(timeout_class: PerOperationWithDeadline, timeout_options: TIMEOUT) @options = @options.merge(proxy_url) if use_proxy? diff --git a/app/services/activitypub/fetch_replies_service.rb b/app/services/activitypub/fetch_replies_service.rb index e2ecdef165..46cab6caf9 100644 --- a/app/services/activitypub/fetch_replies_service.rb +++ b/app/services/activitypub/fetch_replies_service.rb @@ -49,7 +49,7 @@ class ActivityPub::FetchRepliesService < BaseService rescue Mastodon::UnexpectedResponseError => e raise unless e.response && e.response.code == 401 && Addressable::URI.parse(collection_or_uri).query.present? - fetch_resource_without_id_validation(collection_or_uri, nil, true, request_options: { with_query_string: true }) + fetch_resource_without_id_validation(collection_or_uri, nil, true, request_options: { omit_query_string: false }) end end From 7753dde1e71dcd2f51aa68afee0e8fbc664be173 Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 23 Sep 2024 17:36:15 +0200 Subject: [PATCH 18/20] Fix replies collection being cached improperly --- app/controllers/activitypub/replies_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/activitypub/replies_controller.rb b/app/controllers/activitypub/replies_controller.rb index 11aac48c9c..0a19275d38 100644 --- a/app/controllers/activitypub/replies_controller.rb +++ b/app/controllers/activitypub/replies_controller.rb @@ -12,7 +12,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController before_action :set_replies def index - expires_in 0, public: public_fetch_mode? + expires_in 0, public: @status.distributable? && public_fetch_mode? render json: replies_collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json', skip_activities: true end From d410714aa8c4410cf3d0b24a73dbac5e4c496643 Mon Sep 17 00:00:00 2001 From: Claire Date: Thu, 26 Sep 2024 21:27:57 +0200 Subject: [PATCH 19/20] =?UTF-8?q?Add=20=E2=80=9CA=20Mastodon=20update=20is?= =?UTF-8?q?=20available.=E2=80=9D=20message=20on=20admin=20dashboard=20for?= =?UTF-8?q?=20non-bugfix=20updates=20(#32106)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/lib/admin/system_check/software_version_check.rb | 6 ++++-- config/locales/en.yml | 3 +++ spec/lib/admin/system_check/software_version_check_spec.rb | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/app/lib/admin/system_check/software_version_check.rb b/app/lib/admin/system_check/software_version_check.rb index e142feddf0..e5cacfe354 100644 --- a/app/lib/admin/system_check/software_version_check.rb +++ b/app/lib/admin/system_check/software_version_check.rb @@ -14,14 +14,16 @@ class Admin::SystemCheck::SoftwareVersionCheck < Admin::SystemCheck::BaseCheck def message if software_updates.any?(&:urgent?) Admin::SystemCheck::Message.new(:software_version_critical_check, nil, admin_software_updates_path, true) - else + elsif software_updates.any?(&:patch_type?) Admin::SystemCheck::Message.new(:software_version_patch_check, nil, admin_software_updates_path) + else + Admin::SystemCheck::Message.new(:software_version_check, nil, admin_software_updates_path) end end private def software_updates - @software_updates ||= SoftwareUpdate.pending_to_a.filter { |update| update.urgent? || update.patch_type? } + @software_updates ||= SoftwareUpdate.pending_to_a end end diff --git a/config/locales/en.yml b/config/locales/en.yml index 20f45bebc9..e67796211a 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -1136,6 +1136,9 @@ en: message_html: You haven't defined any server rules. sidekiq_process_check: message_html: No Sidekiq process running for the %{value} queue(s). Please review your Sidekiq configuration + software_version_check: + action: See available updates + message_html: A Mastodon update is available. software_version_critical_check: action: See available updates message_html: A critical Mastodon update is available, please update as quickly as possible. diff --git a/spec/lib/admin/system_check/software_version_check_spec.rb b/spec/lib/admin/system_check/software_version_check_spec.rb index de4335fc51..cc4c80e7a4 100644 --- a/spec/lib/admin/system_check/software_version_check_spec.rb +++ b/spec/lib/admin/system_check/software_version_check_spec.rb @@ -51,8 +51,8 @@ describe Admin::SystemCheck::SoftwareVersionCheck do Fabricate(:software_update, version: '99.99.99', type: 'major', urgent: false) end - it 'returns true' do - expect(check.pass?).to be true + it 'returns false' do + expect(check.pass?).to be false end end From b6b21f5b45f2da89c778def0acffbdd5d29b60c3 Mon Sep 17 00:00:00 2001 From: KMY Date: Mon, 30 Sep 2024 21:32:17 +0900 Subject: [PATCH 20/20] Bump version to 14.2 --- lib/mastodon/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb index fd6eb9325e..1e7c4183d3 100644 --- a/lib/mastodon/version.rb +++ b/lib/mastodon/version.rb @@ -9,7 +9,7 @@ module Mastodon end def kmyblue_minor - 1 + 2 end def kmyblue_flag