about summary refs log tree commit diff
AgeCommit message (Collapse)Author
2018-10-12Bump version to 2.5.2 (#8960)Eugen Rochko
2018-10-12Improve signature verification safeguards (#8959)Eugen Rochko
* Downcase signed_headers string before building the signed string The HTTP Signatures draft does not mandate the “headers” field to be downcased, but mandates the header field names to be downcased in the signed string, which means that prior to this patch, Mastodon could fail to process signatures from some compliant clients. It also means that it would not actually check the Digest of non-compliant clients that wouldn't use a lowercased Digest field name. Thankfully, I don't know of any such client. * Revert "Remove dead code (#8919)" This reverts commit a00ce8c92c06f42109aad5cfe65d46862cf037bb. * Restore time window checking, change it to 12 hours By checking the Date header, we can prevent replaying old vulnerable signatures. The focus is to prevent replaying old vulnerable requests from software that has been fixed in the meantime, so a somewhat long window should be fine and accounts for timezone misconfiguration. * Escape users' URLs when formatting them Fixes possible HTML injection * Escape all string interpolations in Formatter class Slightly improve performance by reducing class allocations from repeated Formatter#encode calls * Fix code style issues
2018-10-11Set Content-Security-Policy rules through RoR's config (#8957)ThibG
* Set CSP rules in RoR's configuration * Override CSP setting in the embed controller to allow frames
2018-10-11Bump doorkeeper from 5.0.0 to 5.0.1 (#8954)dependabot[bot]
Bumps [doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) from 5.0.0 to 5.0.1. - [Release notes](https://github.com/doorkeeper-gem/doorkeeper/releases) - [Changelog](https://github.com/doorkeeper-gem/doorkeeper/blob/master/NEWS.md) - [Commits](https://github.com/doorkeeper-gem/doorkeeper/compare/v5.0.0...v5.0.1) Signed-off-by: dependabot[bot] <support@dependabot.com>
2018-10-11Add check for missing tag param in streaming API (#8955)Eugen Rochko
* Add check for missing tag param in streaming API Fixes error: ``` TypeError: Cannot read property 'toLowerCase' of undefined at app.get (.../streaming/index.js:493:50) ``` * Fix code style issues
2018-10-11Bump version to 2.5.1 (#8953)Eugen Rochko
2018-10-11Fix typo in ActivityPub Create handler (#8952)Eugen Rochko
Regression from #8951
2018-10-11Do not push DMs into the home feed (#8940)Eugen Rochko
* Do not push DMs into the home feed * Show DMs column after sending a DM, if DMs column is not already shown
2018-10-11Move network calls out of transaction in ActivityPub handler (#8951)Eugen Rochko
Mention and emoji code may perform network calls, but does not need to do that inside the database transaction. This may improve availability of database connections when using pgBouncer in transaction mode.
2018-10-10Bump better_errors from 2.4.0 to 2.5.0 (#8946)dependabot[bot]
Bumps [better_errors](https://github.com/BetterErrors/better_errors) from 2.4.0 to 2.5.0. - [Release notes](https://github.com/BetterErrors/better_errors/releases) - [Changelog](https://github.com/BetterErrors/better_errors/blob/master/CHANGELOG.md) - [Commits](https://github.com/BetterErrors/better_errors/compare/v2.4.0...v2.5.0) Signed-off-by: dependabot[bot] <support@dependabot.com>
2018-10-10Bump bullet from 5.7.5 to 5.7.6 (#8947)dependabot[bot]
Bumps [bullet](https://github.com/flyerhzm/bullet) from 5.7.5 to 5.7.6. - [Release notes](https://github.com/flyerhzm/bullet/releases) - [Changelog](https://github.com/flyerhzm/bullet/blob/master/CHANGELOG.md) - [Commits](https://github.com/flyerhzm/bullet/compare/5.7.5...5.7.6) Signed-off-by: dependabot[bot] <support@dependabot.com>
2018-10-10Bump scss_lint from 0.57.0 to 0.57.1 (#8948)dependabot[bot]
Bumps [scss_lint](https://github.com/brigade/scss-lint) from 0.57.0 to 0.57.1. - [Release notes](https://github.com/brigade/scss-lint/releases) - [Changelog](https://github.com/brigade/scss-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/brigade/scss-lint/compare/v0.57.0...v0.57.1) Signed-off-by: dependabot[bot] <support@dependabot.com>
2018-10-10Add description meta tag additionally to og:description (#8941)Eugen Rochko
Fix #8685
2018-10-10Add dns-prefetch if using different host for assets or uploads (#8942)Eugen Rochko
2018-10-09Bump capistrano-rails from 1.3.1 to 1.4.0 (#8936)dependabot[bot]
Bumps [capistrano-rails](https://github.com/capistrano/rails) from 1.3.1 to 1.4.0. - [Release notes](https://github.com/capistrano/rails/releases) - [Changelog](https://github.com/capistrano/rails/blob/master/CHANGELOG.md) - [Commits](https://github.com/capistrano/rails/compare/v1.3.1...v1.4.0) Signed-off-by: dependabot[bot] <support@dependabot.com>
2018-10-09Bump dotenv-rails from 2.2.2 to 2.5.0 (#8934)dependabot[bot]
Bumps [dotenv-rails](https://github.com/bkeepers/dotenv) from 2.2.2 to 2.5.0. - [Release notes](https://github.com/bkeepers/dotenv/releases) - [Changelog](https://github.com/bkeepers/dotenv/blob/master/Changelog.md) - [Commits](https://github.com/bkeepers/dotenv/compare/v2.2.2...v2.5.0) Signed-off-by: dependabot[bot] <support@dependabot.com>
2018-10-09Fix that the copy button of verify link did not work. (#8938)mayaeh
2018-10-09Track historical space stats in PgHero to determine PostgreSQL growth (#8906)Eugen Rochko
2018-10-09Bump faker from 1.8.7 to 1.9.1 (#8935)dependabot[bot]
Bumps [faker](https://github.com/stympy/faker) from 1.8.7 to 1.9.1. - [Release notes](https://github.com/stympy/faker/releases) - [Changelog](https://github.com/stympy/faker/blob/master/CHANGELOG.md) - [Commits](https://github.com/stympy/faker/compare/v1.8.7...v1.9.1) Signed-off-by: dependabot[bot] <support@dependabot.com>
2018-10-09Bump memory_profiler from 0.9.11 to 0.9.12 (#8937)dependabot[bot]
Bumps [memory_profiler](https://github.com/SamSaffron/memory_profiler) from 0.9.11 to 0.9.12. - [Release notes](https://github.com/SamSaffron/memory_profiler/releases) - [Changelog](https://github.com/SamSaffron/memory_profiler/blob/master/CHANGELOG.md) - [Commits](https://github.com/SamSaffron/memory_profiler/compare/v0.9.11...v0.9.12) Signed-off-by: dependabot[bot] <support@dependabot.com>
2018-10-09add ffmpeg initializer (#8855)Sascha
* add ffmpeg initializer * use different expression to check for environment var
2018-10-09Add Japanese translations. (#8927)mayaeh
2018-10-08Fixed error occurrence when pinning the DM column. (#8922)mayaeh
2018-10-08Bump capybara from 3.8.2 to 3.9.0 (#8924)dependabot[bot]
Bumps [capybara](https://github.com/teamcapybara/capybara) from 3.8.2 to 3.9.0. - [Release notes](https://github.com/teamcapybara/capybara/releases) - [Changelog](https://github.com/teamcapybara/capybara/blob/master/History.md) - [Commits](https://github.com/teamcapybara/capybara/compare/3.8.2...3.9.0) Signed-off-by: dependabot[bot] <support@dependabot.com>
2018-10-08Bump tty-prompt from 0.17.0 to 0.17.1 (#8925)dependabot[bot]
Bumps [tty-prompt](https://github.com/piotrmurach/tty-prompt) from 0.17.0 to 0.17.1. - [Release notes](https://github.com/piotrmurach/tty-prompt/releases) - [Changelog](https://github.com/piotrmurach/tty-prompt/blob/master/CHANGELOG.md) - [Commits](https://github.com/piotrmurach/tty-prompt/compare/v0.17.0...v0.17.1) Signed-off-by: dependabot[bot] <support@dependabot.com>
2018-10-08Bump aws-sdk-s3 from 1.20.0 to 1.21.0 (#8926)dependabot[bot]
Bumps [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) from 1.20.0 to 1.21.0. - [Release notes](https://github.com/aws/aws-sdk-ruby/releases) - [Changelog](https://github.com/aws/aws-sdk-ruby/blob/master/gems/aws-sdk-s3/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-ruby/commits) Signed-off-by: dependabot[bot] <support@dependabot.com>
2018-10-08Bump i18n-tasks from 0.9.21 to 0.9.25 (#8923)dependabot[bot]
Bumps [i18n-tasks](https://github.com/glebm/i18n-tasks) from 0.9.21 to 0.9.25. - [Release notes](https://github.com/glebm/i18n-tasks/releases) - [Changelog](https://github.com/glebm/i18n-tasks/blob/master/CHANGES.md) - [Commits](https://github.com/glebm/i18n-tasks/compare/v0.9.21...v0.9.25) Signed-off-by: dependabot[bot] <support@dependabot.com>
2018-10-08rubocop issues - Cleaning up (#8912)ashleyhull-versent
* cleanup pass * undo mistakes * fixed. * revert
2018-10-08Remove dead code (#8919)Eugen Rochko
SignatureVerification#matches_time_window? is not called anywhere.
2018-10-08Replace SVG asset with Custom mascot (#8766)ashleyhull-versent
2018-10-07Add conversations API (#8832)Eugen Rochko
* Add conversations API * Add web UI for conversations * Add test for conversations API * Add tests for ConversationAccount * Improve web UI * Rename ConversationAccount to AccountConversation * Remove conversations on block and mute * Change last_status_id to be a denormalization of status_ids * Add optimistic locking
2018-10-07Ensure only toots from the reported users are reported (#8916)ThibG
2018-10-07Add POST /api/v1/notifications/:id/dismiss (#8905)Eugen Rochko
POST /api/v1/notifications/dismiss was a mistake in #2251
2018-10-07Add fallback for PostgreSQL without upsert in CopyStatusStats (#8903)Eugen Rochko
Fix #8590
2018-10-06i18n: Update Polish translation (#8901)Marcin Mikołajczak
Signed-off-by: Marcin Mikołajczak <me@m4sk.in>
2018-10-06Improve production build config (#8899)bsky
2018-10-06Change documentation URL (#8898)Eugen Rochko
* Change documentation URL * Fix hardcoded documentation URL in locales
2018-10-06Remove unused ruby-progressbar dependency (#8896)Eugen Rochko
* Remove unused ruby-progressbar dependency * Remove unused colorize dependency
2018-10-06RTL: fix margins of public-account-header__tabs (#8897)Masoud Abkenar
* RTL: fix margins of public-account-header__tabs * fix style * even more stylish code :)
2018-10-05Leave unknown language as nil if account is remote (#8861)Jeong Arm
* Force use language detector if account is remote * Set unknown remote toot's language as nil
2018-10-05Bump omniauth-saml from 1.10.0 to 1.10.1 (#8885)dependabot[bot]
Bumps [omniauth-saml](https://github.com/omniauth/omniauth-saml) from 1.10.0 to 1.10.1. - [Release notes](https://github.com/omniauth/omniauth-saml/releases) - [Changelog](https://github.com/omniauth/omniauth-saml/blob/master/CHANGELOG.md) - [Commits](https://github.com/omniauth/omniauth-saml/compare/v1.10.0...v1.10.1) Signed-off-by: dependabot[bot] <support@dependabot.com>
2018-10-05Bump parallel_tests from 2.21.3 to 2.23.0 (#8884)dependabot[bot]
Bumps [parallel_tests](https://github.com/grosser/parallel_tests) from 2.21.3 to 2.23.0. - [Release notes](https://github.com/grosser/parallel_tests/releases) - [Commits](https://github.com/grosser/parallel_tests/compare/v2.21.3...v2.23.0) Signed-off-by: dependabot[bot] <support@dependabot.com>
2018-10-05Bump puma from 3.11.4 to 3.12.0 (#8883)dependabot[bot]
Bumps [puma](https://github.com/puma/puma) from 3.11.4 to 3.12.0. - [Release notes](https://github.com/puma/puma/releases) - [Changelog](https://github.com/puma/puma/blob/master/History.md) - [Commits](https://github.com/puma/puma/compare/v3.11.4...v3.12.0) Signed-off-by: dependabot[bot] <support@dependabot.com>
2018-10-05Add a confirmation dialog when hitting reply and the compose box isn't empty ↵ThibG
(#8893) * Add a confirmation dialog when hitting reply and the compose box isn't empty Fixes #878 * Performance improvement
2018-10-05[Security] Bump nokogiri from 1.8.4 to 1.8.5 (#8881)dependabot[bot]
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.8.4 to 1.8.5. **This update includes security fixes.** - [Release notes](https://github.com/sparklemotion/nokogiri/releases) - [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md) - [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.8.4...v1.8.5) Signed-off-by: dependabot[bot] <support@dependabot.com>
2018-10-04lint pass 2 (#8878)aus-social
* Code quality pass * Typofix * Update applications_controller_spec.rb * Update applications_controller_spec.rb
2018-10-04Limit the number of people that can be followed from one account (#8807)Eugen Rochko
Configurable soft limit of 7,500, and above that, configurable ratio of 1.1 * followers, controlled by: - MAX_FOLLOWS_THRESHOLD - MAX_FOLLOWS_RATIO Fix #2311
2018-10-04Add tootctl settings registrations open (#8829)Eugen Rochko
2018-10-04Change admin accounts default sort to most recent (#8813)Eugen Rochko
2018-10-04Fix link verification for remote accounts (#8868)Eugen Rochko