about summary refs log tree commit diff
path: root/app/lib
AgeCommit message (Collapse)Author
2018-11-10Fix emoji update date processing (#9255)ThibG
2018-11-09Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2018-11-08Reduce connect timeout limit and limit signature failures by source IP (#9236)Eugen Rochko
* Reduce connect timeout from 10s to 1s * Limit failing signature verifications per source IP
2018-10-30Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/controllers/auth/sessions_controller.rb Upstream reverted something we partially reverted already. Reverted the rest to match upstream.
2018-10-30Accept the same payload in multiple inboxes and deliver (#9150)Eugen Rochko
2018-10-29Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - config/locales/simple_form.ja.yml Not a real conflict, one new string was introduced in glitch and one in upstream.
2018-10-29Add Page AP type support (#9121)m.b
2018-10-27Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2018-10-26Ignore invalid hashtags on remote statuses instead of rejecting them (#9118)ThibG
Fixes #9115
2018-10-26Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/controllers/admin/base_controller.rb - app/controllers/filters_controller.rb - app/controllers/invites_controller.rb - app/controllers/settings/deletes_controller.rb - app/controllers/settings/exports_controller.rb - app/controllers/settings/follower_domains_controller.rb - app/controllers/settings/migrations_controller.rb - app/controllers/settings/notifications_controller.rb - app/controllers/settings/preferences_controller.rb - app/controllers/settings/two_factor_authentication/recovery_codes_controller.rb - app/javascript/packs/public.js - app/views/settings/profiles/show.html.haml Conflicts were mostly due to the addition of body classes to the settings page, this was caused by rejecting upstream changes for most of those files and modifying Settings::BaseController instead. Another cause of conflicts was the deletion of client-side checking of display name / bio length, this was modified in app/javascript/core/settings.js instead.
2018-10-26Fix missing `mention` argument when processing incoming Create activities ↵ThibG
(#9114) * Fix missing `mention` argument when processing incoming Create activities * Fix typo (param → params)
2018-10-25Allow inbox owner to view implicitly targeted ActivityPub payload (#9093)Eugen Rochko
Fix #9091
2018-10-22Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - .github/ISSUE_TEMPLATE/bug_report.md Took our version. - CONTRIBUTING.md Updated the embedded copy of upstream's version. - README.md Took our version. - app/policies/status_policy.rb Not a real conflict, took code from both. - app/views/layouts/embedded.html.haml Added upstream's changes (dns-prefetch) and fixed `%body.embed` - app/views/settings/preferences/show.html.haml Reverted some of upstream changes, as we have a page dedicated for flavours and skins. - config/initializers/content_security_policy.rb Kept our version of the CSP. - config/initializers/doorkeeper.rb Not a real conflict, took code from both.
2018-10-20Add option to block reports from domain (#8830)Eugen Rochko
2018-10-17Improve support for aspects/circles (#8950)Eugen Rochko
* Add silent column to mentions * Save silent mentions in ActivityPub Create handler and optimize it Move networking calls out of the database transaction * Add "limited" visibility level masked as "private" in the API Unlike DMs, limited statuses are pushed into home feeds. The access control rules between direct and limited statuses is almost the same, except for counter and conversation logic * Ensure silent column is non-null, add spec * Ensure filters don't check silent mentions for blocks/mutes As those are "this person is also allowed to see" rather than "this person is involved", therefore does not warrant filtering * Clean up code * Use Status#active_mentions to limit returned mentions * Fix code style issues * Use Status#active_mentions in Notification And remove stream_entry eager-loading from Notification
2018-10-12Allow selecting both default flavour and themeThibaut Girka
Fixes #672
2018-10-12Improve signature verification safeguards (#8959)Eugen Rochko
* Downcase signed_headers string before building the signed string The HTTP Signatures draft does not mandate the “headers” field to be downcased, but mandates the header field names to be downcased in the signed string, which means that prior to this patch, Mastodon could fail to process signatures from some compliant clients. It also means that it would not actually check the Digest of non-compliant clients that wouldn't use a lowercased Digest field name. Thankfully, I don't know of any such client. * Revert "Remove dead code (#8919)" This reverts commit a00ce8c92c06f42109aad5cfe65d46862cf037bb. * Restore time window checking, change it to 12 hours By checking the Date header, we can prevent replaying old vulnerable signatures. The focus is to prevent replaying old vulnerable requests from software that has been fixed in the meantime, so a somewhat long window should be fine and accounts for timezone misconfiguration. * Escape users' URLs when formatting them Fixes possible HTML injection * Escape all string interpolations in Formatter class Slightly improve performance by reducing class allocations from repeated Formatter#encode calls * Fix code style issues
2018-10-12Improve signature verification safeguards (#8959)Eugen Rochko
* Downcase signed_headers string before building the signed string The HTTP Signatures draft does not mandate the “headers” field to be downcased, but mandates the header field names to be downcased in the signed string, which means that prior to this patch, Mastodon could fail to process signatures from some compliant clients. It also means that it would not actually check the Digest of non-compliant clients that wouldn't use a lowercased Digest field name. Thankfully, I don't know of any such client. * Revert "Remove dead code (#8919)" This reverts commit a00ce8c92c06f42109aad5cfe65d46862cf037bb. * Restore time window checking, change it to 12 hours By checking the Date header, we can prevent replaying old vulnerable signatures. The focus is to prevent replaying old vulnerable requests from software that has been fixed in the meantime, so a somewhat long window should be fine and accounts for timezone misconfiguration. * Escape users' URLs when formatting them Fixes possible HTML injection * Escape all string interpolations in Formatter class Slightly improve performance by reducing class allocations from repeated Formatter#encode calls * Fix code style issues
2018-10-11Fix typo in ActivityPub Create handler (#8952)Eugen Rochko
Regression from #8951
2018-10-11Move network calls out of transaction in ActivityPub handler (#8951)Eugen Rochko
Mention and emoji code may perform network calls, but does not need to do that inside the database transaction. This may improve availability of database connections when using pgBouncer in transaction mode.
2018-10-08Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2018-10-07Add conversations API (#8832)Eugen Rochko
* Add conversations API * Add web UI for conversations * Add test for conversations API * Add tests for ConversationAccount * Improve web UI * Rename ConversationAccount to AccountConversation * Remove conversations on block and mute * Change last_status_id to be a denormalization of status_ids * Add optimistic locking
2018-10-05Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2018-10-05Leave unknown language as nil if account is remote (#8861)Jeong Arm
* Force use language detector if account is remote * Set unknown remote toot's language as nil
2018-10-05Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: db/migrate/20170716191202_add_hide_notifications_to_mute.rb spec/controllers/application_controller_spec.rb Took our version, upstream changes were only minor style linting.
2018-10-03Fix handling of ActivityPub activities lacking some attributes (#8864)ThibG
2018-10-01Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: app/lib/user_settings_decorator.rb app/models/user.rb app/serializers/initial_state_serializer.rb app/views/stream_entries/_simple_status.html.haml config/locales/simple_form.en.yml config/locales/simple_form.ja.yml config/locales/simple_form.pl.yml config/routes.rb
2018-09-28Fix class autoloading issue in ActivityPub::Activity::Create (#8820)Eugen Rochko
2018-09-28Exclude replies from list timelines (#8683)cbayerlein
* Changed list behaviour I added the following line to the FeedManager (app/lib/feed_manager.rb) in the push_to_list function: `return false if status.reply?` Now all posts that are replies are filtered out, so that now only "genuine" posts are displayed in the list. This is a first approach to solve issue #5916 * Update feed_manager.rb As suggested by @Gargron
2018-09-25Add a new preference to always hide all media (#8569)ふぁぼ原
2018-09-24Add user preference to always expand toots marked with content warnings (#8762)Matt Sweetman
2018-09-19Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: Vagrantfile app/javascript/packs/public.js app/views/admin/settings/edit.html.haml app/views/settings/preferences/show.html.haml app/views/settings/profiles/show.html.haml config/locales/es.yml config/locales/simple_form.en.yml config/webpack/configuration.js config/webpack/loaders/babel.js package.json yarn.lock Split new additions to app/javascript/packs/public.js to app/javascript/core/settings.js
2018-09-18Redesign forms, verify link ownership with rel="me" (#8703)Eugen Rochko
* Verify link ownership with rel="me" * Add explanation about verification to UI * Perform link verifications * Add click-to-copy widget for verification HTML * Redesign edit profile page * Redesign forms * Improve responsive design of settings pages * Restore landing page sign-up form * Fix typo * Support <link> tags, add spec * Fix links not being verified on first discovery and passive updates
2018-08-31Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/views/stream_entries/_simple_status.html.haml - config/locales/nl.yml Deleted unused translation strings (themes) and adapted minor changes to _simple_status.html.haml
2018-08-31Fix autoplay issue with spoiler tag (#8540)Renato "Lond" Cerqueira
Add tests to avoid similar issues in the future
2018-08-31Do not sign useless User-Agent or Accept-Encoding headers (#8533)Eugen Rochko
Fix #8080
2018-08-30Add animate custom emoji param to embed pages (#8507)Renato "Lond" Cerqueira
* Add animate custom emoji param to embed pages * Rename param, use it for avatars and gifs * Fix issues pointed by codeclimate and breaking test * Ignore brakeman warning
2018-08-27Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: app/controllers/api/v1/mutes_controller.rb config/locales/simple_form.pl.yml
2018-08-26Add CLI task for rotating keys (#8466)Eugen Rochko
* If an Update is signed with known key, skip re-following procedure Because it means the remote actor did *not* lose their database * Add CLI method for rotating keys bin/tootctl accounts rotate [USERNAME] Generates a new RSA key per account and sends out an Update activity signed with the old key. * Key rotation: Space out Update fan-outs every 5 minutes per 1000 accounts * Skip suspended accounts in key rotation
2018-08-26Fix low-hanging rubocop gripes (#8458)Quint Guvernator
* rubocop: quit being so picky * rubocop: miscellany * rubocop: prefer present to blank
2018-08-26Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: app/views/layouts/application.html.haml Edited: app/helpers/application_helper.rb app/views/admin/domain_blocks/new.html.haml Conflict wasn't really one, just two changes too close to one another. Edition was to adapt the class names for themes to class names for skins and flavours. Also edited app/views/admin/domain_blocks/new.html.haml to strip the duplicate admin pack inclusion thing.
2018-08-26Spread out crawling randomly to avoid DDoSing the link (#8445)Eugen Rochko
* Spread out crawling randomly to avoid DDoSing the link Fix #4486 * Remove trailing whitespace
2018-08-25Support ActivityStreams’ summaryMap. (#8422)M Somerville
In the same way as contentMap and nameMap.
2018-08-24Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: app/controllers/application_controller.rb Changed instance theme selection by instance flavour selection.
2018-08-23Add ability to change an instance default theme from the administration ↵Jakub Mendyk
panel (#7092) (#8381) * Add default_settings class method to ScopedSettings ScopedSettings was extended to use value of unscoped setting instead of only using defaults set in config/settings.yml for selected settings. This adds possibility for admins to set default values of users' settings, for example default theme (as requested in #7092). * Add ability to change an instance default theme Closes #7092
2018-08-23Do not crash if remote custom emoji does not define updated date (fixes ↵ThibG
#8376) (#8377)
2018-08-22Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2018-08-22Improve federated ID validation (#8372)Eugen Rochko
* Fix URI not being sufficiently validated with prefetched JSON * Add additional id validation to OStatus documents, when possible
2018-08-17Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: app/models/status.rb db/migrate/20180528141303_fix_accounts_unique_index.rb db/schema.rb Resolved by taking upstream changes (no real conflicts, just glitch-soc specific code too close to actual changes).
2018-08-17Implement Undo { Accept { Follow } } (fixes #8234) (#8245)ThibG
* Add Follow#revoke_request! * Implement Undo { Accept { Follow } } (fixes #8234)