Age | Commit message (Collapse) | Author |
|
|
|
* Downcase signed_headers string before building the signed string
The HTTP Signatures draft does not mandate the “headers” field to be downcased,
but mandates the header field names to be downcased in the signed string, which
means that prior to this patch, Mastodon could fail to process signatures from
some compliant clients. It also means that it would not actually check the
Digest of non-compliant clients that wouldn't use a lowercased Digest field
name.
Thankfully, I don't know of any such client.
* Revert "Remove dead code (#8919)"
This reverts commit a00ce8c92c06f42109aad5cfe65d46862cf037bb.
* Restore time window checking, change it to 12 hours
By checking the Date header, we can prevent replaying old vulnerable
signatures. The focus is to prevent replaying old vulnerable requests
from software that has been fixed in the meantime, so a somewhat long
window should be fine and accounts for timezone misconfiguration.
* Escape users' URLs when formatting them
Fixes possible HTML injection
* Escape all string interpolations in Formatter class
Slightly improve performance by reducing class allocations
from repeated Formatter#encode calls
* Fix code style issues
|
|
* Set CSP rules in RoR's configuration
* Override CSP setting in the embed controller to allow frames
|
|
SignatureVerification#matches_time_window? is not called anywhere.
|
|
|
|
* Add conversations API
* Add web UI for conversations
* Add test for conversations API
* Add tests for ConversationAccount
* Improve web UI
* Rename ConversationAccount to AccountConversation
* Remove conversations on block and mute
* Change last_status_id to be a denormalization of status_ids
* Add optimistic locking
|
|
|
|
|
|
* Allow min_id pagination in Feed#get
* Add min_id pagination to home and list timeline APIs
* Add min_id pagination to account statuses, public and tag APIs
* Remove unused stub in reports API
* Use min_id pagination in notifications, favourites, and fix order
* Fix HomeFeed#from_database not using paginate_by_id
|
|
|
|
|
|
|
|
Found via `codespell -q 3 --skip="./app/javascript/mastodon/locales,./config/locales"`
|
|
* Add force_login option to OAuth authorize page
For when a user needs to sign into an app from multiple accounts
on the same server
* When logging out from modal header, redirect back after re-login
|
|
Will clear the browser's cache, cookies and storage.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
https://w3c.github.io/webappsec-clear-site-data/
|
|
Bug in #8559
|
|
If an unresolved report for the same target account already exists,
no new notification is generated
|
|
|
|
* Add animate custom emoji param to embed pages
* Rename param, use it for avatars and gifs
* Fix issues pointed by codeclimate and breaking test
* Ignore brakeman warning
|
|
Fixes #8463
|
|
* rubocop: quit being so picky
* rubocop: miscellany
* rubocop: prefer present to blank
|
|
Fix #3894
|
|
* Allow moderators to disable/enable login
* Instead of rejecting login, show forbidden error when login disabled
Avoid confusion because when login is rejected, the message is that
the account is not activated, which is wrong.
* Fix tests
|
|
Regression from #8353
|
|
panel (#7092) (#8381)
* Add default_settings class method to ScopedSettings
ScopedSettings was extended to use value of unscoped setting instead of
only using defaults set in config/settings.yml for selected settings.
This adds possibility for admins to set default values of users' settings,
for example default theme (as requested in #7092).
* Add ability to change an instance default theme
Closes #7092
|
|
* Add confirmation page for suspensions
* Suspension confirmation closes reports, linked from report UI
* Fix tests
|
|
|
|
* Unuse ActiveRecord::Base#cache_key
* Enable cache_versioning
* Call cache_collection
|
|
Fix #8261
|
|
* Add remote interaction dialog for toots
* Change AuthorizeFollow into AuthorizeInteraction, support statuses
* Update brakeman.ignore
* Adjust how interaction buttons are display on public pages
* Fix tests
|
|
Fixes the other issue with #8168
|
|
|
|
|
|
|
|
|
|
* Add separate setting for sidebar text (site_short_description)
* Fix tests
|
|
* Compensate for scrollbar disappearing when media modal visible
Make auth pages backgrounds lighter
* Fix typo
|
|
Fix #8085
|
|
|
|
|
|
|
|
|
|
* Add federation relay support
* Add admin UI for managing relays
* Include actor on relay-related activities
* Fix i18n
|
|
(#8004)
* Add Japanese translation for "Whole word" and add it's description.
* Fix to enable "Whole-word" selection.
|
|
(#7975)
* Add option to not consider word boundaries when filtering phrases
* Add a few tests for keyword/phrase filtering
|
|
DELETE /api/v1/suggestions/:account_id
When blocking, remove suggestion from both sides. Muting not affected,
since muting is supposed to be invisible to the target.
|
|
|
|
|
|
Fix #7944
|
|
* Add more granular OAuth scopes
* Add human-readable descriptions of the new scopes
* Ensure new scopes look good on the app UI
* Add tests
* Group scopes in screen and color-code dangerous ones
* Fix wrong extra scope
|