about summary refs log tree commit diff
path: root/config/initializers
AgeCommit message (Collapse)Author
2022-11-15Fix wrong directive `unsafe-wasm-eval` to `wasm-unsafe-eval` (#20729)Eugen Rochko
2022-11-15Use "unsafe-wasm-eval" instead of "unsafe-eval" in script-src CSP (#20606)prplecake
* Add "unsafe-eval" to script-src CSP * Use 'unsafe-wasm-eval' instead of 'unsafe-eval'
2022-11-14Fix rate limiting for paths with formats (#20675)Eugen Rochko
2022-11-14Add `Cache-Control` header to openstack-stored files (#20610)Matt Corallo
When storing files in S3, paperclip is configured with a Cache-Control header indicating the file is immutable, however no such header was added when using OpenStack storage. Luckily Paperclip's fog integration makes this trivial, with a simple `fog_file` `Cache-Control` default doing the trick.
2022-11-13Allow unsetting x-amz-acl S3 Permission headers (#20510)David Hewitt
Some "S3 Compatible" storage providers (Cloudflare R2 is one such example) don't support setting ACLs on individual uploads with the `x-amz-acl` header, and instead just have a visibility for the whole bucket. To support uploads to such providers without getting unsupported errors back, lets use a black `S3_PERMISSION` env var to indicate that these headers shouldn't be sent. This is tested as working with Cloudflare R2.
2022-10-26Add "unsafe-eval" to script-src CSP (#18817)prplecake
2022-10-26Fix vacuum scheduler missing lock, locks never expiring (#19458)Eugen Rochko
Remove vacuuming of orphaned preview cards
2022-09-23Add user content translations with configurable backends (#19218)Eugen Rochko
2022-08-28Change "Allow trends without prior review" setting to include statuses (#17977)Eugen Rochko
* Change "Allow trends without prior review" setting to include posts * Fix i18n-tasks
2022-08-25Support "http_hidden_proxy" ENV var for hidden service only proxy (#18427)Jeong Arm
* Support "http_hidden_proxy" ENV var for hidden service only proxy * Fallback to http_proxy if http_hidden_proxy is not set
2022-07-13Change how hashtags are normalized (#18795)Eugen Rochko
* Change how hashtags are normalized * Fix tests
2022-06-01Fix CAS_DISPLAY_NAME, SAML_DISPLAY_NAME and OIDC_DISPLAY_NAME being ignored ↵Claire
(#18568)
2022-05-26Fix confirmation redirect to app without `Location` header (#18523)Eugen Rochko
2022-05-18Change search indexing to use batches to minimize resource usage (#18451)Eugen Rochko
2022-04-29Fix opening and closing Redis connections instead of using a pool (#18171)Eugen Rochko
* Fix opening and closing Redis connections instead of using a pool * Fix Redis connections not being returned to the pool in CLI commands
2022-04-28Fix stoplight not using REDIS_NAMESPACE (#18160)Claire
2022-04-28Fix single Redis connection being used across all threads (#18135)Eugen Rochko
* Fix single Redis connection being used across all Sidekiq threads * Fix tests
2022-04-08Fix cookies secure flag being set when served over Tor (#17992)Eugen Rochko
2022-04-01fix: `s3_force_single_request` not parsed (#17922)Holger
2022-03-26Refactor formatter (#17828)Eugen Rochko
* Refactor formatter * Move custom emoji pre-rendering logic to view helpers * Move more methods out of Formatter * Fix code style issues * Remove Formatter * Add inline poll options to RSS feeds * Remove unused helper method * Fix code style issues * Various fixes and improvements * Fix test
2022-03-15Fix PgHero suggesting migrations (#17807)Claire
* Fix PgHero suggesting migrations Fixes #17768 * Keep migration suggestions in development env
2022-03-14Fix LetterOpennerWeb CSP (#17770)Yamagishi Kazutoshi
2022-03-12Bump rack-attack from 6.5.0 to 6.6.0 (#17405)dependabot[bot]
* Bump rack-attack from 6.5.0 to 6.6.0 Bumps [rack-attack](https://github.com/rack/rack-attack) from 6.5.0 to 6.6.0. - [Release notes](https://github.com/rack/rack-attack/releases) - [Changelog](https://github.com/rack/rack-attack/blob/master/CHANGELOG.md) - [Commits](https://github.com/rack/rack-attack/compare/v6.5.0...v6.6.0) --- updated-dependencies: - dependency-name: rack-attack dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Fix usage of deprecated API Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
2022-03-09Allow login through OpenID Connect (#16221)chandrn7
* added OpenID Connect as an SSO option * minor fixes * added comments, removed an option that shouldn't be set * fixed Gemfile.lock * added newline to end of Gemfile.lock * removed tab from Gemfile.lock * remove chomp * codeclimate changes and small name change to make function's purpose clearer * codeclimate fix * added SSO buttons to /about page * minor refactor * minor style change * removed spurious change * removed unecessary conditional from ensure_valid_username and added support for auth.info.name in user_params_from_auth * minor changes
2022-03-06Spelling (#17705)Josh Soref
* spelling: account Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: affiliated Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: appearance Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: autosuggest Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: cacheable Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: component Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: conversations Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: domain.example Clarify what's distinct and use RFC friendly domain space. Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: environment Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: exceeds Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: functional Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: inefficiency Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: not Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: notifications Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: occurring Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: position Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: progress Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: promotable Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: reblogging Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: repetitive Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: resolve Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: saturated Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: similar Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: strategies Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: success Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: targeting Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: thumbnails Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: unauthorized Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: unsensitizes Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: validations Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> * spelling: various Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
2022-02-22Fix various typos (#17621)luzpaz
Found via `codespell -q 3 -S ./CHANGELOG.md,./AUTHORS.md,./config/locales,./app/javascript/mastodon/locales -L ba,keypair,medias,ro`
2022-02-21Fix error when trying to register (#17600)Claire
2022-02-18Avoid return within block (#17590)zunda
This prevents the error: LocalJumpError (unexpected return)
2022-02-18Throttle IPv6 signup for subnet (#17588)Jeong Arm
2022-01-23Remove support for OAUTH_REDIRECT_AT_SIGN_IN (#17287)Claire
Fixes #15959 Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form to instead redirect to the external OmniAuth login provider. However, it did not prevent the log-in form on /about introduced by #10232 from appearing, and completely broke with the introduction of #15228. As I restoring that previous log-in flow without introducing a security vulnerability may require extensive care and knowledge of how OmniAuth works, this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time being.
2022-01-16Remove IP tracking columns from users table (#16409)Eugen Rochko
2022-01-10Fix media API limit (#17272)Jeong Arm
2021-12-27Fix warnings on Rails boot (#16946)Eugen Rochko
2021-11-26Fix ElasticSearch to Elasticsearch (#17050)Takeshi Umeda
2021-11-18Bump chewy from 5.2.0 to 7.2.3 (supports Elasticsearch 7.x) (#16915)Takeshi Umeda
* Bump chewy from 5.2.0 to 7.2.2 * fix style (codeclimate) * fix style * fix style * Bump chewy from 7.2.2 to 7.2.3
2021-11-06Fix reviving revoked sessions and invalidating login (#16943)Claire
Up until now, we have used Devise's Rememberable mechanism to re-log users after the end of their browser sessions. This mechanism relies on a signed cookie containing a token. That token was stored on the user's record, meaning it was shared across all logged in browsers, meaning truly revoking a browser's ability to auto-log-in involves revoking the token itself, and revoking access from *all* logged-in browsers. We had a session mechanism that dynamically checks whether a user's session has been disabled, and would log out the user if so. However, this would only clear a session being actively used, and a new one could be respawned with the `remember_user_token` cookie. In practice, this caused two issues: - sessions could be revived after being closed from /auth/edit (security issue) - auto-log-in would be disabled for *all* browsers after logging out from one of them This PR removes the `remember_token` mechanism and treats the `_session_id` cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-10-24Support authentication for ElasticSearch (#16890)Jeong Arm
* Support authentication for ElasticSearch * Fix chewy auth settings
2021-10-14Minor memory optimizations (#16507)Claire
Reduce constant memory usage by ~100kB and further reduce boot-up memory allocations and temporary memory use by a further ~200kB.
2021-08-25New env variable: CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED (#16655)Daniel
When using a CAS server, the users only have a temporary email `change@me-foo-cas.com` which can't be changed but by an administrator. We need a new environment variable like for SAML to assume the email from CAS is verified. * config/initializers/omniauth.rb: define CAS option for assuming email are always verified. * .env.nanobox: add new variable as an example.
2021-07-15Fix inefficiencies in auto-linking code (#16506)Claire
The auto-linking code basically rewrote the whole string escaping non-ascii characters in an inefficient way, and building a full character offset map between the unescaped and escaped texts before sending the contents to TwitterText's extractor. Instead of doing that, this commit changes the TwitterText regexps to include valid IRI characters in addition to valid URI characters.
2021-05-24Fix mailer jobs for deleted notifications erroring out (#16294)Claire
Fixes an oversight in the Rails 6 migration
2021-05-17Fix host check on healthcheck path not being disabled (#16270)Claire
Fixes #16251 There was a typo in #16243
2021-05-16Disable host check on healthcheck path (#16243)Jeong Arm
2021-05-09Add a Redis environment variable for sidekiq (#16188)Takeshi Umeda
2021-05-06Add Ruby 3.0 support (#16046)Claire
* Fix issues with POSIX::Spawn, Terrapin and Ruby 3.0 Also improve the Terrapin monkey-patch for the stderr/stdout issue. * Fix keyword argument handling throughout the codebase * Monkey-patch Paperclip to fix keyword arguments handling in validators * Change validation_extensions to please CodeClimate * Bump microformats from 4.2.1 to 4.3.1 * Allow Ruby 3.0 * Add Ruby 3.0 test target to CircleCI * Add test for admin dashboard warnings * Fix admin dashboard warnings on Ruby 3.0
2021-04-22Fix guard against DNS rebinding attacks (#16095)Takeshi Umeda
2021-04-21Add guard against DNS rebinding attacks (#16087)Takeshi Umeda
* Add guard against DNS rebinding attacks * Fix not to apply to test environment
2021-04-15Fix app name, website and redirect URIs not having a maximum length (#16042)Eugen Rochko
Fix app scopes not being validated
2021-04-09Fix autoloading deprecation warnings from Rails 6 (#16010)Eugen Rochko
2021-04-03Change health check (#15988)Eugen Rochko