From 4d5a219013eaed40d2372e9b4122086a0120a07d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" Date: Tue, 30 Oct 2018 22:59:11 +0900 Subject: [PATCH 01/10] [Security] Bump loofah from 2.2.2 to 2.2.3 (#9160) Bumps [loofah](https://github.com/flavorjones/loofah) from 2.2.2 to 2.2.3. **This update includes security fixes.** - [Release notes](https://github.com/flavorjones/loofah/releases) - [Changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md) - [Commits](https://github.com/flavorjones/loofah/compare/v2.2.2...v2.2.3) Signed-off-by: dependabot[bot] --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 82b5f92248..91a2e82811 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -319,7 +319,7 @@ GEM activesupport (>= 4) railties (>= 4) request_store (~> 1.0) - loofah (2.2.2) + loofah (2.2.3) crass (~> 1.0.2) nokogiri (>= 1.5.9) mail (2.7.0) From cfe92b50bb14e5b2842d3bff8c4f536a6398fb59 Mon Sep 17 00:00:00 2001 From: ThibG Date: Tue, 30 Oct 2018 15:02:24 +0100 Subject: [PATCH 02/10] Fix Pleroma mentions being fetched as preview cards (#9158) --- app/services/fetch_link_card_service.rb | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/app/services/fetch_link_card_service.rb b/app/services/fetch_link_card_service.rb index 462e5ee131..3e77579bba 100644 --- a/app/services/fetch_link_card_service.rb +++ b/app/services/fetch_link_card_service.rb @@ -17,8 +17,7 @@ class FetchLinkCardService < BaseService return if @url.nil? || @status.preview_cards.any? - @mentions = status.mentions - @url = @url.to_s + @url = @url.to_s RedisLock.acquire(lock_options) do |lock| if lock.acquired? @@ -84,9 +83,8 @@ class FetchLinkCardService < BaseService end def mention_link?(a) - return false if @mentions.nil? - @mentions.any? do |mention| - a['href'] == TagManager.instance.url_for(mention.target) + @status.mentions.any? do |mention| + a['href'] == TagManager.instance.url_for(mention.account) end end From c15b8ee75b3dcbb9c7e2dae7c60fd1694fb2857f Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 30 Oct 2018 15:02:55 +0100 Subject: [PATCH 03/10] Always let through notifications from staff (#9152) * Always let through notifications from staff Follow-up to #8993 * Let messages from staff through, but no other notifications --- app/services/notify_service.rb | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/app/services/notify_service.rb b/app/services/notify_service.rb index a8b7bb30ba..b80ceef03c 100644 --- a/app/services/notify_service.rb +++ b/app/services/notify_service.rb @@ -51,8 +51,12 @@ class NotifyService < BaseService @recipient.user.settings.interactions['must_be_following'] && !following_sender? end + def message? + @notification.type == :mention + end + def direct_message? - @notification.type == :mention && @notification.target_status.direct_visibility? + message? && @notification.target_status.direct_visibility? end def response_to_recipient? @@ -66,7 +70,6 @@ class NotifyService < BaseService def optional_non_following_and_direct? direct_message? && @recipient.user.settings.interactions['must_be_following_dm'] && - !from_staff? && !following_sender? && !response_to_recipient? end @@ -86,6 +89,9 @@ class NotifyService < BaseService def blocked? blocked = @recipient.suspended? # Skip if the recipient account is suspended anyway blocked ||= from_self? # Skip for interactions with self + + return blocked if message? && from_staff? + blocked ||= domain_blocking? # Skip for domain blocked accounts blocked ||= @recipient.blocking?(@notification.from_account) # Skip for blocked accounts blocked ||= @recipient.muting_notifications?(@notification.from_account) From d84886f35edaa353eb9fc9562acbf867a65f70eb Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 30 Oct 2018 15:03:55 +0100 Subject: [PATCH 04/10] Accept the same payload in multiple inboxes and deliver (#9150) --- app/lib/activitypub/activity/create.rb | 20 +++++++++++++++++++- app/services/fan_out_on_write_service.rb | 6 ++---- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/app/lib/activitypub/activity/create.rb b/app/lib/activitypub/activity/create.rb index baa05e14c2..45079e2b3c 100644 --- a/app/lib/activitypub/activity/create.rb +++ b/app/lib/activitypub/activity/create.rb @@ -10,7 +10,12 @@ class ActivityPub::Activity::Create < ActivityPub::Activity RedisLock.acquire(lock_options) do |lock| if lock.acquired? @status = find_existing_status - process_status if @status.nil? + + if @status.nil? + process_status + elsif @options[:delivered_to_account_id].present? + postprocess_audience_and_deliver + end else raise Mastodon::RaceConditionError end @@ -99,6 +104,19 @@ class ActivityPub::Activity::Create < ActivityPub::Activity @params[:visibility] = :limited end + def postprocess_audience_and_deliver + return if @status.mentions.find_by(account_id: @options[:delivered_to_account_id]) + + delivered_to_account = Account.find(@options[:delivered_to_account_id]) + + @status.mentions.create(account: delivered_to_account, silent: true) + @status.update(visibility: :limited) if @status.direct_visibility? + + return unless delivered_to_account.following?(@account) + + FeedInsertWorker.perform_async(@status.id, delivered_to_account.id, :home) + end + def attach_tags(status) @tags.each do |tag| status.tags << tag diff --git a/app/services/fan_out_on_write_service.rb b/app/services/fan_out_on_write_service.rb index 7f2a917754..f3e9c855dc 100644 --- a/app/services/fan_out_on_write_service.rb +++ b/app/services/fan_out_on_write_service.rb @@ -58,10 +58,8 @@ class FanOutOnWriteService < BaseService def deliver_to_mentioned_followers(status) Rails.logger.debug "Delivering status #{status.id} to limited followers" - status.mentions.includes(:account).each do |mention| - mentioned_account = mention.account - next if !mentioned_account.local? || !mentioned_account.following?(status.account) || FeedManager.instance.filter?(:home, status, mention.account_id) - FeedManager.instance.push_to_home(mentioned_account, status) + FeedInsertWorker.push_bulk(status.mentions.includes(:account).map(&:account).select { |mentioned_account| mentioned_account.local? && mentioned_account.following?(status.account) }) do |follower| + [status.id, follower.id, :home] end end From a43fdd72ba9f73773504aa6c059b90ee71a517a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Quent=C3=AD?= <33203663+Quenty31@users.noreply.github.com> Date: Tue, 30 Oct 2018 15:05:01 +0100 Subject: [PATCH 05/10] [i18n] Update for Occitan (#9157) * Update oc.json * Update devise.oc.yml * Update oc.yml * Update oc.json --- app/javascript/mastodon/locales/oc.json | 6 +++--- config/locales/devise.oc.yml | 4 ++-- config/locales/oc.yml | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/app/javascript/mastodon/locales/oc.json b/app/javascript/mastodon/locales/oc.json index 64ada60da4..93ab4be7de 100644 --- a/app/javascript/mastodon/locales/oc.json +++ b/app/javascript/mastodon/locales/oc.json @@ -157,7 +157,7 @@ "keyboard_shortcuts.legend": "mostrar aquesta legenda", "keyboard_shortcuts.local": "per dobrir lo flux public local", "keyboard_shortcuts.mention": "mencionar l’autor", - "keyboard_shortcuts.muted": "per dorbir la lista dels utilizaires silenciats", + "keyboard_shortcuts.muted": "per dobrir la lista dels utilizaires silenciats", "keyboard_shortcuts.my_profile": "per dobrir vòstre perfil", "keyboard_shortcuts.notifications": "per dobrir la columna de notificacions", "keyboard_shortcuts.pinned": "per dobrir la lista dels tuts penjats", @@ -314,8 +314,8 @@ "status.show_more_all": "Los desplegar totes", "status.unmute_conversation": "Tornar mostrar la conversacion", "status.unpin": "Tirar del perfil", - "suggestions.dismiss": "Dismiss suggestion", - "suggestions.header": "You might be interested in…", + "suggestions.dismiss": "Regetar la suggestion", + "suggestions.header": "Aquò vos poiriá interessar…", "tabs_bar.federated_timeline": "Flux public global", "tabs_bar.home": "Acuèlh", "tabs_bar.local_timeline": "Flux public local", diff --git a/config/locales/devise.oc.yml b/config/locales/devise.oc.yml index beecbb426c..16633e2333 100644 --- a/config/locales/devise.oc.yml +++ b/config/locales/devise.oc.yml @@ -8,10 +8,10 @@ oc: failure: already_authenticated: Sètz ja connectat. inactive: Vòstre compte es pas encara activat. - invalid: "%{authentication_keys} invalid." + invalid: "%{authentication_keys} invalida." last_attempt: Vos demòra un ensag abans que vòstre compte siasque blocat. locked: Vòstre compte es blocat. - not_found_in_database: "%{authentication_keys} invalid." + not_found_in_database: "%{authentication_keys} invalida." timeout: Vòstra session a expirat. Mercés de vos tornar connectar per contunhar. unauthenticated: Vos cal vos connectar o marcar abans de contunhar. unconfirmed: Vos cal confirmar vòstra adreça de corrièl abans de contunhar. diff --git a/config/locales/oc.yml b/config/locales/oc.yml index 0fb4684b11..820f094ffa 100644 --- a/config/locales/oc.yml +++ b/config/locales/oc.yml @@ -311,7 +311,7 @@ oc: description_html: Un relai de federacion es un servidor intermediari qu’escàmbia de bèls volumes de tuts publics entre servidors que son abonats e i publican.Pòt ajudar de pichons e mejans servidors a trobar de contenguts del fediverse estant, qu’autrament demandariá als utilizaires locals de s’abonar manualament a d’autres monde marcats sus de servidors alonhats. disable: Desactivar disabled: Desactivat - enable: Activat + enable: Activar enable_hint: Un còp activat, vòstre servidor s’abonarà a totes los tuts publics del relai estant, e començarà de mandar sos tuts publics a aqueste d’enlà. enabled: Activat inbox_url: URL del relai @@ -533,7 +533,7 @@ oc: formats: default: "%e/%m/%Y" long: Lo %e %B de %Y - short: "%e %b. de %Y" + short: "%e %B de %Y" month_names: - None - de genièr @@ -557,7 +557,7 @@ oc: about_x_hours: "%{count} h" about_x_months: "%{count} meses" about_x_years: "%{count} ans" - almost_x_years: "%{count}ans" + almost_x_years: "%{count} ans" half_a_minute: Ara less_than_x_minutes: "%{count} min" less_than_x_seconds: Ara meteis From c20d55f7ddb152d73a7592c0f0fafeb3c3ba35c7 Mon Sep 17 00:00:00 2001 From: valerauko Date: Tue, 30 Oct 2018 23:07:57 +0900 Subject: [PATCH 06/10] Fix FetchAtomService content type handling (#9132) * Add profile to json+ld in Accept It's required by the ActivityPub spec * Use headers['Content-type'] instead of mime_type mime_type strips the profile from the content type, but it's still available raw in the headers hash * Add test for ld+json with profile --- app/services/fetch_atom_service.rb | 10 ++++++---- spec/services/fetch_atom_service_spec.rb | 9 ++++++++- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/app/services/fetch_atom_service.rb b/app/services/fetch_atom_service.rb index 550e75f334..b6c6cdd1c5 100644 --- a/app/services/fetch_atom_service.rb +++ b/app/services/fetch_atom_service.rb @@ -29,7 +29,7 @@ class FetchAtomService < BaseService def perform_request(&block) accept = 'text/html' - accept = 'application/activity+json, application/ld+json, application/atom+xml, ' + accept unless @unsupported_activity + accept = 'application/activity+json, application/ld+json; profile="https://www.w3.org/ns/activitystreams", application/atom+xml, ' + accept unless @unsupported_activity Request.new(:get, @url).add_headers('Accept' => accept).perform(&block) end @@ -37,9 +37,11 @@ class FetchAtomService < BaseService def process_response(response, terminal = false) return nil if response.code != 200 - if response.mime_type == 'application/atom+xml' + response_type = response.headers['Content-type'] + + if response_type == 'application/atom+xml' [@url, { prefetched_body: response.body_with_limit }, :ostatus] - elsif ['application/activity+json', 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'].include?(response.mime_type) + elsif ['application/activity+json', 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'].include?(response_type) body = response.body_with_limit json = body_to_json(body) if supported_context?(json) && equals_or_includes_any?(json['type'], ActivityPub::FetchRemoteAccountService::SUPPORTED_TYPES) && json['inbox'].present? @@ -55,7 +57,7 @@ class FetchAtomService < BaseService if link_header&.find_link(%w(rel alternate)) process_link_headers(link_header) - elsif response.mime_type == 'text/html' + elsif response_type == 'text/html' process_html(response) end end diff --git a/spec/services/fetch_atom_service_spec.rb b/spec/services/fetch_atom_service_spec.rb index 30e5b0935a..0cdcda892e 100644 --- a/spec/services/fetch_atom_service_spec.rb +++ b/spec/services/fetch_atom_service_spec.rb @@ -60,13 +60,20 @@ RSpec.describe FetchAtomService, type: :service do it { is_expected.to eq [url, { :prefetched_body => "" }, :ostatus] } end - context 'content_type is json' do + context 'content_type is activity+json' do let(:content_type) { 'application/activity+json' } let(:body) { json } it { is_expected.to eq [1, { prefetched_body: body, id: true }, :activitypub] } end + context 'content_type is ld+json with profile' do + let(:content_type) { 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"' } + let(:body) { json } + + it { is_expected.to eq [1, { prefetched_body: body, id: true }, :activitypub] } + end + before do WebMock.stub_request(:get, url).to_return(status: 200, body: body, headers: headers) WebMock.stub_request(:get, 'http://example.com/foo').to_return(status: 200, body: json, headers: { 'Content-Type' => 'application/activity+json' }) From ca87d98d166e8d6f53eb96e1fc23a6504ff281f2 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 30 Oct 2018 16:25:54 +0100 Subject: [PATCH 07/10] Revert "feat(auth/session_controller): Send Clear-Site-Data when logging out (8627)" (#9161) This reverts commit 0c756cfd54ce43c7b41fb16b1789bb351fb5a063. --- app/controllers/auth/sessions_controller.rb | 9 --------- 1 file changed, 9 deletions(-) diff --git a/app/controllers/auth/sessions_controller.rb b/app/controllers/auth/sessions_controller.rb index 901e82331a..fb8615c313 100644 --- a/app/controllers/auth/sessions_controller.rb +++ b/app/controllers/auth/sessions_controller.rb @@ -10,7 +10,6 @@ class Auth::SessionsController < Devise::SessionsController prepend_before_action :authenticate_with_two_factor, if: :two_factor_enabled?, only: [:create] before_action :set_instance_presenter, only: [:new] before_action :set_body_classes - after_action :clear_site_data, only: [:destroy] def new Devise.omniauth_configs.each do |provider, config| @@ -125,14 +124,6 @@ class Auth::SessionsController < Devise::SessionsController paths end - def clear_site_data - return if continue_after? - - # Should be '"*"' but that doesn't work in Chrome (neither does '"executionContexts"') - # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data - response.headers['Clear-Site-Data'] = '"cache", "cookies", "storage"' - end - def continue_after? truthy_param?(:continue) end From e242688a74d76c52d244cd180fd5d2a438619cc0 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 30 Oct 2018 17:00:34 +0100 Subject: [PATCH 08/10] Fix td instead of th in sessions table header (#9162) Fix #9130 --- app/views/auth/registrations/_sessions.html.haml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/views/auth/registrations/_sessions.html.haml b/app/views/auth/registrations/_sessions.html.haml index 8586c05495..d7d96a1bb3 100644 --- a/app/views/auth/registrations/_sessions.html.haml +++ b/app/views/auth/registrations/_sessions.html.haml @@ -8,7 +8,7 @@ %th= t 'sessions.browser' %th= t 'sessions.ip' %th= t 'sessions.activity' - %td + %th %tbody - @sessions.each do |session| %tr From 4084814d8a65d8d1807444a7933a031e786b4c72 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 30 Oct 2018 17:06:12 +0100 Subject: [PATCH 09/10] Fix empty display name precedence over username in web UI (#9163) Fix #9131 --- app/javascript/mastodon/actions/importer/normalizer.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/javascript/mastodon/actions/importer/normalizer.js b/app/javascript/mastodon/actions/importer/normalizer.js index a2af3222e7..34a4150fac 100644 --- a/app/javascript/mastodon/actions/importer/normalizer.js +++ b/app/javascript/mastodon/actions/importer/normalizer.js @@ -14,7 +14,7 @@ export function normalizeAccount(account) { account = { ...account }; const emojiMap = makeEmojiMap(account); - const displayName = account.display_name.length === 0 ? account.username : account.display_name; + const displayName = account.display_name.trim().length === 0 ? account.username : account.display_name; account.display_name_html = emojify(escapeTextContentForBrowser(displayName), emojiMap); account.note_emojified = emojify(account.note, emojiMap); From 4c8ac98fa02fab8ed3d350457cdbab288b401ea2 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 30 Oct 2018 17:37:49 +0100 Subject: [PATCH 10/10] Bump version to 2.6.0rc4 (#9164) * Bump version to 2.6.0rc4 * Update CHANGELOG.md --- CHANGELOG.md | 13 +++++++++---- lib/mastodon/version.rb | 2 +- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e5443a3586..3c6847e0b2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,7 @@ All notable changes to this project will be documented in this file. - Add conversations API (#8832) - Add limit for the number of people that can be followed from one account (#8807) - Add admin setting to customize mascot (#8766) -- Add support for more granular ActivityPub audiences from other software, i.e. circles (#8950, #9093) +- Add support for more granular ActivityPub audiences from other software, i.e. circles (#8950, #9093, #9150) - Add option to block all reports from a domain (#8830) - Add user preference to always expand toots marked with content warnings (#8762) - Add user preference to always hide all media (#8569) @@ -30,7 +30,6 @@ All notable changes to this project will be documented in this file. - Add PostgreSQL disk space growth tracking in PGHero (#8906) - Add button for disabling local account to report quick actions bar (#9024) - Add Czech language (#8594) -- Add `Clear-Site-Data` header when logging out (#8627) - Add `same-site` (`lax`) attribute to cookies (#8626) - Add support for styled scrollbars in Firefox Nightly (#8653) - Add highlight to the active tab in web UI profiles (#8673) @@ -64,6 +63,9 @@ All notable changes to this project will be documented in this file. - Change recommended Ruby version to 2.5.3 (#9003) - Change docker-compose default to persist volumes in current directory (#9055) - Change character counters on edit profile page to input length limit (#9100) +- Change notification filtering to always let through messages from staff (#9152) +- Change "hide boosts from user" function also hiding notifications about boosts (#9147) +- Change CSS `detailed-status__wrapper` class actually wrap the detailed status (#8547) ### Deprecated @@ -89,18 +91,21 @@ All notable changes to this project will be documented in this file. - Fix some dark emojis not having a white outline (#8597) - Fix media description not being displayed in various media modals (#8678) - Fix generated URLs of desktop notifications missing base URL (#8758) -- Fix RTL styles (#8764, #8767, #8823, #8897, #9005, #9007, #9018, #9021) +- Fix RTL styles (#8764, #8767, #8823, #8897, #9005, #9007, #9018, #9021, #9145, #9146) - Fix crash in streaming API when tag param missing (#8955) - Fix hotkeys not working when no element is focused (#8998) - Fix some hotkeys not working on detailed status view (#9006) - Fix og:url on status pages (#9047) - Fix upload option buttons only being visible on hover (#9074) - Fix tootctl not returning exit code 1 on wrong arguments (#9094) -- Fix preview cards for appearing for profiles mentioned in toot (#6934) +- Fix preview cards for appearing for profiles mentioned in toot (#6934, #9158) - Fix local accounts sometimes being duplicated as faux-remote (#9109) - Fix emoji search when the shortcode has multiple separators (#9124) - Fix dropdowns sometimes being partially obscured by other elements (#9126) - Fix cache not updating when reply/boost/favourite counters or media sensitivity update (#9119) +- Fix empty display name precedence over username in web UI (#9163) +- Fix td instead of th in sessions table header (#9162) +- Fix handling of content types with profile (#9132) ## [2.5.2] - 2018-10-12 ### Security diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb index 757d327bdb..e4c5b9cbd4 100644 --- a/lib/mastodon/version.rb +++ b/lib/mastodon/version.rb @@ -21,7 +21,7 @@ module Mastodon end def flags - 'rc3' + 'rc4' end def to_a