Age | Commit message (Collapse) | Author |
|
* Downcase signed_headers string before building the signed string
The HTTP Signatures draft does not mandate the “headers” field to be downcased,
but mandates the header field names to be downcased in the signed string, which
means that prior to this patch, Mastodon could fail to process signatures from
some compliant clients. It also means that it would not actually check the
Digest of non-compliant clients that wouldn't use a lowercased Digest field
name.
Thankfully, I don't know of any such client.
* Revert "Remove dead code (#8919)"
This reverts commit a00ce8c92c06f42109aad5cfe65d46862cf037bb.
* Restore time window checking, change it to 12 hours
By checking the Date header, we can prevent replaying old vulnerable
signatures. The focus is to prevent replaying old vulnerable requests
from software that has been fixed in the meantime, so a somewhat long
window should be fine and accounts for timezone misconfiguration.
* Escape users' URLs when formatting them
Fixes possible HTML injection
* Escape all string interpolations in Formatter class
Slightly improve performance by reducing class allocations
from repeated Formatter#encode calls
* Fix code style issues
|
|
* cleanup pass
* undo mistakes
* fixed.
* revert
|
|
|
|
* Add conversations API
* Add web UI for conversations
* Add test for conversations API
* Add tests for ConversationAccount
* Improve web UI
* Rename ConversationAccount to AccountConversation
* Remove conversations on block and mute
* Change last_status_id to be a denormalization of status_ids
* Add optimistic locking
|
|
* Force use language detector if account is remote
* Set unknown remote toot's language as nil
|
|
* Code quality pass
* Typofix
* Update applications_controller_spec.rb
* Update applications_controller_spec.rb
|
|
Configurable soft limit of 7,500, and above that, configurable
ratio of 1.1 * followers, controlled by:
- MAX_FOLLOWS_THRESHOLD
- MAX_FOLLOWS_RATIO
Fix #2311
|
|
|
|
|
|
|
|
* Allow min_id pagination in Feed#get
* Add min_id pagination to home and list timeline APIs
* Add min_id pagination to account statuses, public and tag APIs
* Remove unused stub in reports API
* Use min_id pagination in notifications, favourites, and fix order
* Fix HomeFeed#from_database not using paginate_by_id
|
|
* Revert "Fix some icon names changed by the Font Awesome 5. (#8796)"
This reverts commit 3f9ec3de82c1a3879a2b092672f51c1caca76f5c.
* Revert "Migrate to font-awesome 5.0. (#8799)"
This reverts commit 8bae14591bfb4fc9dd9d89d8082ac0123b03edaa.
* Revert "Fix some icons names, unavailable in fontawesome5 (free license). (#8792)"
This reverts commit b9c727a945fea5afffb3e3a53279164adfc6e88f.
* Revert "Update the icon name changed by the Font Awesome 5. (#8776)"
This reverts commit 17af4d27da484fc35ecd4b4dce2443d24aa35d23.
* Revert "Add bot icon to bot avatars and migrate to newer version of Font Awesome (#8484)"
This reverts commit 4b794e134d427dbc716606324adb9a885a74abec.
|
|
|
|
|
|
(e.g. URL shortener)
|
|
than me (#8733)
|
|
* Verify link ownership with rel="me"
* Add explanation about verification to UI
* Perform link verifications
* Add click-to-copy widget for verification HTML
* Redesign edit profile page
* Redesign forms
* Improve responsive design of settings pages
* Restore landing page sign-up form
* Fix typo
* Support <link> tags, add spec
* Fix links not being verified on first discovery and passive updates
|
|
Found via `codespell -q 3 --skip="./app/javascript/mastodon/locales,./config/locales"`
|
|
* Add force_login option to OAuth authorize page
For when a user needs to sign into an app from multiple accounts
on the same server
* When logging out from modal header, redirect back after re-login
|
|
CSFR-prevention is already implemented but adding this doesn't hurt.
A brief introduction to Same-Site cookies (and the difference between strict and
lax) can be found at
https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/
TLDR: We use lax since we want the cookies to be sent when the user navigates
safely from an external site.
|
|
If an unresolved report for the same target account already exists,
no new notification is generated
|
|
Add tests to avoid similar issues in the future
|
|
* Add animate custom emoji param to embed pages
* Rename param, use it for avatars and gifs
* Fix issues pointed by codeclimate and breaking test
* Ignore brakeman warning
|
|
Host can be nil in urls like
'https:https://example.com/path/file.png'
|
|
updates some "context" and "it" lines to have clearer explanations
updates "context" lines to properly describe function input, and "it" lines to describe results
|
|
* Add missing specs for relay accept/reject
* Display pending message on admin relays UI
|
|
Fixes #8463
|
|
Add forgotten custom CSS admin setting strings
|
|
* Allow moderators to disable/enable login
* Instead of rejecting login, show forbidden error when login disabled
Avoid confusion because when login is rejected, the message is that
the account is not activated, which is wrong.
* Fix tests
|
|
panel (#7092) (#8381)
* Add default_settings class method to ScopedSettings
ScopedSettings was extended to use value of unscoped setting instead of
only using defaults set in config/settings.yml for selected settings.
This adds possibility for admins to set default values of users' settings,
for example default theme (as requested in #7092).
* Add ability to change an instance default theme
Closes #7092
|
|
* Fix URI not being sufficiently validated with prefetched JSON
* Add additional id validation to OStatus documents, when possible
|
|
|
|
* Add confirmation page for suspensions
* Suspension confirmation closes reports, linked from report UI
* Fix tests
|
|
Fix #7316
|
|
|
|
* Add remote interaction dialog for toots
* Change AuthorizeFollow into AuthorizeInteraction, support statuses
* Update brakeman.ignore
* Adjust how interaction buttons are display on public pages
* Fix tests
|
|
* Add Follow#revoke_request!
* Implement Undo { Accept { Follow } } (fixes #8234)
|
|
* Allow accessing local private/DM messages by URL
(Provided the user pasting the URL is authorized to see the toot, obviously)
* Fix SearchServiceSpec tests
|
|
* Show exact number of followers/statuses on export page/in tooltip
* Fix tests
|
|
* Move status counters to separate table, count replies
* Migration to remove old counter columns from statuses table
* Fix schema file
|
|
* Update Rails
* fix Update Rails
|
|
|
|
|
|
* Add separate setting for sidebar text (site_short_description)
* Fix tests
|
|
* Compensate for scrollbar disappearing when media modal visible
Make auth pages backgrounds lighter
* Fix typo
|
|
Initially I thought there might be valid reasons for remote users to
have a different, unpredicted username format. However, I now realize
such a difference would be unusable and unexpected within Mastodon.
Fix #8058
|
|
|
|
To improve the way super tall or super ride images are treated, the
numbers remain the same, 1280x1280 and 400x400, but if an image
is less in one dimension than the other, the other can become larger
Thanks to @WAHa_06x36@mastodon.social for the tip
|
|
|
|
If the input text is blank after preparation (only mention, or
only URL, or empty as in a media post), then use nil as language,
since it's OK to show to everyone.
Otherwise, always fall back to the server's default locale
|