Commit graph

6943 commits

Author SHA1 Message Date
Claire c78c003272
Merge pull request from GHSA-jhrq-qvrm-qr36
* Fix insufficient Content-Type checking of fetched ActivityStreams objects

* Allow JSON-LD documents with multiple profiles
2024-02-16 11:56:12 +01:00
Claire a745854557 Fix user creation failure handling in OmniAuth paths (#29207)
Co-authored-by: Matt Jankowski <matt@jankowski.online>
2024-02-14 23:21:52 +01:00
Claire 1f0e040cb8
Merge pull request from GHSA-vm39-j3vx-pch3
* Prevent different identities from a same SSO provider from accessing a same account

* Lock auth provider changes behind `ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true`

* Rename methods to avoid confusion between OAuth and OmniAuth
2024-02-14 15:16:07 +01:00
Claire c107375035
Merge pull request from GHSA-7w3c-p9j8-mq3x
* Ensure destruction of OAuth Applications notifies streaming

Due to doorkeeper using a dependent: delete_all relationship, the destroy of an OAuth Application bypassed the existing AccessTokenExtension callbacks for announcing destructing of access tokens.

* Ensure password resets revoke access to Streaming API

* Improve performance of deleting OAuth tokens

---------

Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
2024-02-14 15:15:34 +01:00
Claire befd534eb8
Merge pull request from GHSA-3fjr-858r-92rw
* Fix insufficient origin validation

* Bump version to v4.0.13
2024-02-01 15:56:46 +01:00
Matt Jankowski 905baaaff2 Dont match mention in url query string (#25656)
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2023-10-10 13:51:14 +02:00
Claire 26f24f4de0 Add a short-lived lock to trend refresh scheduler (#27253) 2023-10-10 13:51:14 +02:00
David Aaron 0b10485a87 Change min age of backup policy from 1 week to 6 days (#27200) 2023-10-10 13:51:14 +02:00
Jakob Gillich 93bb9ae676 Fix importer returning negative row estimates (#27258) 2023-10-10 13:51:14 +02:00
Claire d25cbac8a2 Change some worker lock TTLs (#27246) 2023-10-10 13:51:14 +02:00
Claire f95015827d Fix filtering audit log for entries about disabling 2FA (#27186) 2023-10-10 13:51:14 +02:00
Essem 44d12a8580 Properly remove tIME chunk from PNG uploads (#27111) 2023-10-10 13:51:14 +02:00
Claire 19af772dbd Fix crash when filtering for “dormant” relationships (#27306) 2023-10-10 13:51:14 +02:00
Claire e5772c9e55 Fix inefficient queries in “Follows and followers” as well as several admin pages (#27116) 2023-10-10 13:51:14 +02:00
Claire 481e1d4e0e
Fix post translation erroring out (v4.0.x) (#26991) 2023-09-20 15:59:53 +02:00
Claire 5c64f01b19 Fix moderator rights inconsistencies (#26729) 2023-09-19 17:01:32 +02:00
Claire 57acad0e9f Fix crash when encountering invalid URL (#26814) 2023-09-19 17:01:32 +02:00
Claire 3ab722a79c Fix cached posts including stale stats (#26409) 2023-09-19 17:01:32 +02:00
Nicolai Søborg 871e63edff Fix frame_rate for videos where ffprobe reports 0/0 (#26500) 2023-09-19 17:01:32 +02:00
Claire 9ae857c035
Merge pull request from GHSA-v3xf-c9qf-j667 2023-09-19 16:53:58 +02:00
Claire 9fa89dbdcb
Merge pull request from GHSA-2693-xr3m-jhqr 2023-09-19 16:53:21 +02:00
Emelia Smith d3e97e8c23 Allow reports with long comments from remote instances, but truncate (#25028) 2023-09-05 18:51:01 +02:00
Daniel M Brasil db8db60244 Fix /api/v1/timelines/tag/:hashtag allowing for unauthenticated access when public preview is disabled (#26237) 2023-09-05 18:51:01 +02:00
Claire d30fbc0900 Fix blocking subdomains of an already-blocked domain (#26392) 2023-09-05 18:51:01 +02:00
Claire a62d9a9a78 Change text extraction in PlainTextFormatter to be faster (#26727) 2023-09-05 18:51:01 +02:00
Claire fea5640374 Fix incorrect connect timeout in outgoing requests (#26116) 2023-07-31 14:33:14 +02:00
Claire aca0db4bd6 Change request timeout handling to use a longer deadline (#26055) 2023-07-21 16:07:35 +02:00
Claire bd2429b716 Fix remote accounts being possibly persisted to database with incomplete protocol values (#25886) 2023-07-21 16:07:35 +02:00
Michael Stanclift 8695409035 Fix trending publishers table not rendering correctly on narrow screens (#25945) 2023-07-21 16:07:35 +02:00
Claire 93a87b96c7 Fix processing of media files with unusual names (#25788) 2023-07-07 19:36:12 +02:00
Claire 614aaeff41 Fix crash in admin interface when viewing a remote user with verified links (#25796) 2023-07-07 19:36:12 +02:00
Claire 2d42175ef0
Merge pull request from GHSA-55j9-c3mp-6fcq 2023-07-06 15:06:50 +02:00
Claire 3af396e561
Merge pull request from GHSA-9pxv-6qvf-pjwc
* Fix timeout handling of outbound HTTP requests

* Use CLOCK_MONOTONIC instead of Time.now
2023-07-06 15:06:24 +02:00
Claire 2119aadf0a
Merge pull request from GHSA-9928-3cp5-93fm
* Fix attachments getting processed despite failing content-type validation

* Add a restrictive ImageMagick security policy tailored for Mastodon

* Fix misdetection of MP3 files with large cover art

* Reject unprocessable audio/video files instead of keeping them unchanged
2023-07-06 15:05:05 +02:00
Claire 102ed6e8ca
Merge pull request from GHSA-ccm4-vgcc-73hp
* Tighten allowed HTML in oEmbed-based preview cards

* Sanitize preview cards at render time

* Add `sandbox` attribute to preview card iframes
2023-07-06 15:03:33 +02:00
Vyr Cossont 798d26dd04 Fix Redis client and type errors introduced in #24285 (#24342) 2023-07-06 13:45:58 +02:00
Vyr Cossont 9ad33eb160 IndexingScheduler: fetch and import in batches (#24285)
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2023-07-06 13:45:58 +02:00
Claire 5e55ca25d6 Fix ResolveURLService not resolving local URLs for remote content (#25637) 2023-07-06 13:45:58 +02:00
Claire 0bcb4f73f1 Change /api/v1/statuses/:id/history to always return at least one item (#25510) 2023-07-06 13:45:58 +02:00
Claire 04f76675d1 Add finer permission requirements for managing webhooks (#25463) 2023-07-06 13:45:58 +02:00
Claire 53acab6d2b Fix wrong view being displayed when a webhook fails validation (#25464) 2023-07-06 13:45:58 +02:00
Emelia Smith 78358b84b9 Prevent UserCleanupScheduler from overwhelming streaming (#25519) 2023-07-06 13:45:58 +02:00
Daniel M Brasil c285f9d1a1 Fix incorrect pagination headers in /api/v2/admin/accounts (#25477) 2023-07-06 13:45:58 +02:00
Claire 660845f781 Change profile updates to be sent to recently-mentioned servers (#24852) 2023-07-06 13:45:58 +02:00
Claire 0b627dcf9e Fix being able to vote on your own polls (#25015) 2023-07-06 13:45:58 +02:00
Claire a3f58ceea4 Fix race condition when reblogging a status (#25016) 2023-07-06 13:45:58 +02:00
Claire bb87736bf0 Change OpenGraph-based embeds to allow fullscreen (#25058) 2023-07-06 13:45:58 +02:00
Claire 37972fe3c7 Fix “Authorized applications” inefficiently and incorrectly getting last use date (#25060) 2023-07-06 13:45:58 +02:00
Claire 64416e4000 Remove invalid X-Frame-Options: ALLOWALL (#25070) 2023-07-06 13:45:58 +02:00
Claire eceb960744 Change Identity to not destroy associated User on destroy (#25098) 2023-07-06 13:45:58 +02:00