From 597e4949eb7fb4b6cd66a68a1aabe1877a3bf610 Mon Sep 17 00:00:00 2001 From: Yamagishi Kazutoshi Date: Mon, 7 Nov 2022 00:13:53 +0900 Subject: [PATCH 01/13] Update SECURITY.md (#19869) --- SECURITY.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 9a72f3640b..d2543b18d6 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -10,9 +10,8 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through ## Supported Versions -| Version | Supported | -| ------- | ------------------ | -| 3.5.x | Yes | -| 3.4.x | Yes | -| 3.3.x | No | -| < 3.3 | No | +| Version | Supported | +| ------- | ----------| +| 4.0.x | Yes | +| 3.5.x | Yes | +| < 3.5 | No | From edb86217c976dd930780746e512d8af80cbe32d3 Mon Sep 17 00:00:00 2001 From: rcombs Date: Sun, 6 Nov 2022 20:16:10 -0600 Subject: [PATCH 02/13] Set autocomplete attr for email field on signup page (#19833) The email address will be used as the "username" for sign-in purposes, so it's the value that should be stored in password managers. We can inform the password manager of this by setting `autocomplete="email"`. Without this hint, password managers may instead store the `username` field, which isn't valid for sign-in (this happens with iCloud Keychain in Safari, for instance). --- app/views/auth/registrations/new.html.haml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/views/auth/registrations/new.html.haml b/app/views/auth/registrations/new.html.haml index 5eb3f937c3..b1d52dd0c2 100644 --- a/app/views/auth/registrations/new.html.haml +++ b/app/views/auth/registrations/new.html.haml @@ -19,7 +19,7 @@ = f.simple_fields_for :account do |ff| = ff.input :display_name, wrapper: :with_label, label: false, required: false, input_html: { 'aria-label' => t('simple_form.labels.defaults.display_name'), :autocomplete => 'off', placeholder: t('simple_form.labels.defaults.display_name') } = ff.input :username, wrapper: :with_label, label: false, required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.username'), :autocomplete => 'off', placeholder: t('simple_form.labels.defaults.username'), pattern: '[a-zA-Z0-9_]+', maxlength: 30 }, append: "@#{site_hostname}", hint: false - = f.input :email, placeholder: t('simple_form.labels.defaults.email'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.email'), :autocomplete => 'off' }, hint: false + = f.input :email, placeholder: t('simple_form.labels.defaults.email'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.email'), :autocomplete => 'username' }, hint: false = f.input :password, placeholder: t('simple_form.labels.defaults.password'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.password'), :autocomplete => 'new-password', :minlength => User.password_length.first, :maxlength => User.password_length.last }, hint: false = f.input :password_confirmation, placeholder: t('simple_form.labels.defaults.confirm_password'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.confirm_password'), :autocomplete => 'new-password' }, hint: false = f.input :confirm_password, as: :string, placeholder: t('simple_form.labels.defaults.honeypot', label: t('simple_form.labels.defaults.password')), required: false, input_html: { 'aria-label' => t('simple_form.labels.defaults.honeypot', label: t('simple_form.labels.defaults.password')), :autocomplete => 'off' }, hint: false From 9cc859808e08a57f5dadb09349832775c4da18fa Mon Sep 17 00:00:00 2001 From: Rob Petti Date: Sun, 6 Nov 2022 19:16:44 -0700 Subject: [PATCH 03/13] allow /api/v1/streaming to be used as per documentation (#19896) --- dist/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dist/nginx.conf b/dist/nginx.conf index 716c277dd0..5c16693d08 100644 --- a/dist/nginx.conf +++ b/dist/nginx.conf @@ -112,7 +112,7 @@ server { try_files $uri =404; } - location ^~ /api/v1/streaming/ { + location ^~ /api/v1/streaming { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; From 149a8246d28c92c7d3627c7737a60f56d859488a Mon Sep 17 00:00:00 2001 From: nightpool Date: Sun, 6 Nov 2022 21:31:38 -0500 Subject: [PATCH 04/13] Skip Webfinger cache during migrations as well (#19883) --- app/models/account_migration.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/account_migration.rb b/app/models/account_migration.rb index 06291c9f31..16276158d7 100644 --- a/app/models/account_migration.rb +++ b/app/models/account_migration.rb @@ -58,7 +58,7 @@ class AccountMigration < ApplicationRecord private def set_target_account - self.target_account = ResolveAccountService.new.call(acct) + self.target_account = ResolveAccountService.new.call(acct, skip_cache: true) rescue Webfinger::Error, HTTP::Error, OpenSSL::SSL::SSLError, Mastodon::Error # Validation will take care of it end From bfb8121e94f9743d051256633447d4215a131a17 Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 7 Nov 2022 03:38:53 +0100 Subject: [PATCH 05/13] Fix crash in legacy filter creation controller (#19878) --- app/controllers/api/v1/filters_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/api/v1/filters_controller.rb b/app/controllers/api/v1/filters_controller.rb index 07cd141478..149139b40a 100644 --- a/app/controllers/api/v1/filters_controller.rb +++ b/app/controllers/api/v1/filters_controller.rb @@ -52,7 +52,7 @@ class Api::V1::FiltersController < Api::BaseController end def resource_params - params.permit(:phrase, :expires_in, :irreversible, :whole_word, context: []) + params.permit(:phrase, :expires_in, :irreversible, context: []) end def filter_params From 461d06bec8852f98e702cd737399bb451099c954 Mon Sep 17 00:00:00 2001 From: Sunny Ripert Date: Mon, 7 Nov 2022 03:39:48 +0100 Subject: [PATCH 06/13] Fix console log error on column settings load (#19886) --- .../features/notifications/components/column_settings.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/javascript/mastodon/features/notifications/components/column_settings.js b/app/javascript/mastodon/features/notifications/components/column_settings.js index d75fa8a02f..a38f8d3c2d 100644 --- a/app/javascript/mastodon/features/notifications/components/column_settings.js +++ b/app/javascript/mastodon/features/notifications/components/column_settings.js @@ -21,7 +21,7 @@ export default class ColumnSettings extends React.PureComponent { onRequestNotificationPermission: PropTypes.func, alertsEnabled: PropTypes.bool, browserSupport: PropTypes.bool, - browserPermission: PropTypes.bool, + browserPermission: PropTypes.string, }; onPushChange = (path, checked) => { From 99cf3cdb63da1a649751d23b6176fccbaa65c521 Mon Sep 17 00:00:00 2001 From: Sunny Ripert Date: Mon, 7 Nov 2022 03:40:04 +0100 Subject: [PATCH 07/13] Fix JavaScript console error on Getting Started column (#19891) * Fix JavaScript console error on Getting Started column * Update app/javascript/mastodon/components/column_header.js Co-authored-by: Ilias Tsangaris Co-authored-by: Ilias Tsangaris --- app/javascript/mastodon/components/column_header.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/javascript/mastodon/components/column_header.js b/app/javascript/mastodon/components/column_header.js index 5b2e166276..43efa179e2 100644 --- a/app/javascript/mastodon/components/column_header.js +++ b/app/javascript/mastodon/components/column_header.js @@ -57,7 +57,7 @@ class ColumnHeader extends React.PureComponent { } handleTitleClick = () => { - this.props.onClick(); + this.props.onClick?.(); } handleMoveLeft = () => { From 3b6c7c48780cc6d82ec7130f419e1001b2acc657 Mon Sep 17 00:00:00 2001 From: Jeremy Kescher Date: Mon, 7 Nov 2022 02:40:17 +0000 Subject: [PATCH 08/13] Add null check on application in dispute viewer (#19851) --- app/views/disputes/strikes/show.html.haml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/app/views/disputes/strikes/show.html.haml b/app/views/disputes/strikes/show.html.haml index 1be50331a4..4a3005f72a 100644 --- a/app/views/disputes/strikes/show.html.haml +++ b/app/views/disputes/strikes/show.html.haml @@ -59,8 +59,9 @@ = media_attachment.file_file_name .strike-card__statuses-list__item__meta %time.formatted{ datetime: status.created_at.iso8601, title: l(status.created_at) }= l(status.created_at) - · - = status.application.name + - unless status.application.nil? + · + = status.application.name - else .one-liner= t('disputes.strikes.status', id: status_id) .strike-card__statuses-list__item__meta From bfad78e194a2986915a0472e87197b37f0629a77 Mon Sep 17 00:00:00 2001 From: Sunny Ripert Date: Mon, 7 Nov 2022 03:40:54 +0100 Subject: [PATCH 09/13] Fix double button to clear emoji search input (#19888) --- app/javascript/styles/mastodon/emoji_picker.scss | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/app/javascript/styles/mastodon/emoji_picker.scss b/app/javascript/styles/mastodon/emoji_picker.scss index e4ec96d89f..1042ddda89 100644 --- a/app/javascript/styles/mastodon/emoji_picker.scss +++ b/app/javascript/styles/mastodon/emoji_picker.scss @@ -132,6 +132,10 @@ &:active { outline: 0 !important; } + + &::-webkit-search-cancel-button { + display: none; + } } } From 42657c0728b9a42e910642e620379032f693da66 Mon Sep 17 00:00:00 2001 From: Chris Rose Date: Sun, 6 Nov 2022 18:57:16 -0800 Subject: [PATCH 10/13] Tag the OTP field with autocomplete for password managers (#19946) This is modeled on #19833, and based on the attribute values documented in https://developer.apple.com/documentation/security/password_autofill/enabling_password_autofill_on_an_html_input_element?language=objc --- .../auth/sessions/two_factor/_otp_authentication_form.html.haml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/views/auth/sessions/two_factor/_otp_authentication_form.html.haml b/app/views/auth/sessions/two_factor/_otp_authentication_form.html.haml index ab2d48c0a3..82f9575275 100644 --- a/app/views/auth/sessions/two_factor/_otp_authentication_form.html.haml +++ b/app/views/auth/sessions/two_factor/_otp_authentication_form.html.haml @@ -5,7 +5,7 @@ %p.hint.authentication-hint= t('simple_form.hints.sessions.otp') .fields-group - = f.input :otp_attempt, type: :number, wrapper: :with_label, label: t('simple_form.labels.defaults.otp_attempt'), input_html: { 'aria-label' => t('simple_form.labels.defaults.otp_attempt'), :autocomplete => 'off' }, autofocus: true + = f.input :otp_attempt, type: :number, wrapper: :with_label, label: t('simple_form.labels.defaults.otp_attempt'), input_html: { 'aria-label' => t('simple_form.labels.defaults.otp_attempt'), :autocomplete => 'one-time-code' }, autofocus: true .actions = f.button :button, t('auth.login'), type: :submit From 5baaa9f8a68ae860c208dbab3d626538216c8d13 Mon Sep 17 00:00:00 2001 From: Sunny Ripert Date: Mon, 7 Nov 2022 03:39:48 +0100 Subject: [PATCH 11/13] [Glitch] Fix console log error on column settings load Port 461d06bec8852f98e702cd737399bb451099c954 to glitch-soc Signed-off-by: Claire --- .../glitch/features/notifications/components/column_settings.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/javascript/flavours/glitch/features/notifications/components/column_settings.js b/app/javascript/flavours/glitch/features/notifications/components/column_settings.js index ee05c7fd6b..64fd98bd92 100644 --- a/app/javascript/flavours/glitch/features/notifications/components/column_settings.js +++ b/app/javascript/flavours/glitch/features/notifications/components/column_settings.js @@ -22,7 +22,7 @@ export default class ColumnSettings extends React.PureComponent { onRequestNotificationPermission: PropTypes.func, alertsEnabled: PropTypes.bool, browserSupport: PropTypes.bool, - browserPermission: PropTypes.bool, + browserPermission: PropTypes.string, }; onPushChange = (path, checked) => { From 906cbff923d6a503c9550c4659d8c227a7d6a437 Mon Sep 17 00:00:00 2001 From: Sunny Ripert Date: Mon, 7 Nov 2022 03:40:04 +0100 Subject: [PATCH 12/13] [Glitch] Fix JavaScript console error on Getting Started column Port 99cf3cdb63da1a649751d23b6176fccbaa65c521 to glitch-soc Co-authored-by: Ilias Tsangaris Co-authored-by: Ilias Tsangaris Signed-off-by: Claire --- app/javascript/flavours/glitch/components/column_header.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/javascript/flavours/glitch/components/column_header.js b/app/javascript/flavours/glitch/components/column_header.js index 024068c584..3df3597455 100644 --- a/app/javascript/flavours/glitch/components/column_header.js +++ b/app/javascript/flavours/glitch/components/column_header.js @@ -63,7 +63,7 @@ class ColumnHeader extends React.PureComponent { } handleTitleClick = () => { - this.props.onClick(); + this.props.onClick?.(); } handleMoveLeft = () => { From 7ef1d0fa299a05647a3ec9c1e4c0d6dd7243f7a7 Mon Sep 17 00:00:00 2001 From: Sunny Ripert Date: Mon, 7 Nov 2022 03:40:54 +0100 Subject: [PATCH 13/13] [Glitch] Fix double button to clear emoji search input Port bfad78e194a2986915a0472e87197b37f0629a77 to glitch-soc Signed-off-by: Claire --- .../flavours/glitch/styles/components/emoji_picker.scss | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/app/javascript/flavours/glitch/styles/components/emoji_picker.scss b/app/javascript/flavours/glitch/styles/components/emoji_picker.scss index bad6949c28..790650cfa3 100644 --- a/app/javascript/flavours/glitch/styles/components/emoji_picker.scss +++ b/app/javascript/flavours/glitch/styles/components/emoji_picker.scss @@ -132,6 +132,10 @@ &:active { outline: 0 !important; } + + &::-webkit-search-cancel-button { + display: none; + } } }