From 1419f656e2753dc2f173d496a9720023d89de36e Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 2 Jan 2018 14:02:53 +0100 Subject: Fix stats expiring too quickly because of variable mistake (#6155) --- app/lib/activity_tracker.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/lib') diff --git a/app/lib/activity_tracker.rb b/app/lib/activity_tracker.rb index 50e927b0c..5b4972674 100644 --- a/app/lib/activity_tracker.rb +++ b/app/lib/activity_tracker.rb @@ -15,7 +15,7 @@ class ActivityTracker key = [prefix, current_week].join(':') redis.pfadd(key, value) - redis.expire(key, value) + redis.expire(key, EXPIRE_AFTER) end private -- cgit From d60fd87e0191ad05d8dd7f2e8d7d265db6f168d3 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Wed, 3 Jan 2018 00:38:02 +0100 Subject: Don't leave behind husk of remotely-deleted profile (#6159) There's no reason for an Account record to persist after Delete->Actor is received. SuspendAccountService is necessary to make sure deleted toots get sent over streaming API properly and home feeds get cleaned up. By removing Account record, we can ensure that if in the future the account is restored remotely (or username reused), it can start with a clean slate. --- app/lib/activitypub/activity/delete.rb | 1 + 1 file changed, 1 insertion(+) (limited to 'app/lib') diff --git a/app/lib/activitypub/activity/delete.rb b/app/lib/activitypub/activity/delete.rb index d0fb49342..5fa60a81c 100644 --- a/app/lib/activitypub/activity/delete.rb +++ b/app/lib/activitypub/activity/delete.rb @@ -13,6 +13,7 @@ class ActivityPub::Activity::Delete < ActivityPub::Activity def delete_person SuspendAccountService.new.call(@account) + @account.destroy! end def delete_note -- cgit From 545095b3ce312b42ba304d0bb2c76727826e27b4 Mon Sep 17 00:00:00 2001 From: puckipedia Date: Wed, 3 Jan 2018 03:54:08 +0100 Subject: [!] Sanitize incoming classlist properly (#6162) * Sanitize classlist properly * Actually properly sanitize every class after the first * Improve Formatter spec to check for multiple classes and non-space whitespace --- app/lib/sanitize_config.rb | 8 ++++---- spec/lib/formatter_spec.rb | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'app/lib') diff --git a/app/lib/sanitize_config.rb b/app/lib/sanitize_config.rb index f09288fcd..c2b466924 100644 --- a/app/lib/sanitize_config.rb +++ b/app/lib/sanitize_config.rb @@ -6,14 +6,14 @@ class Sanitize CLASS_WHITELIST_TRANSFORMER = lambda do |env| node = env[:node] - class_list = node['class']&.split(' ') + class_list = node['class']&.split(/[\t\n\f\r ]/) return unless class_list class_list.keep_if do |e| - return true if e =~ /^(h|p|u|dt|e)-/ # microformats classes - return true if e =~ /^(mention|hashtag)$/ # semantic classes - return true if e =~ /^(ellipsis|invisible)$/ # link formatting classes + next true if e =~ /^(h|p|u|dt|e)-/ # microformats classes + next true if e =~ /^(mention|hashtag)$/ # semantic classes + next true if e =~ /^(ellipsis|invisible)$/ # link formatting classes end node['class'] = class_list.join(' ') diff --git a/spec/lib/formatter_spec.rb b/spec/lib/formatter_spec.rb index 71b6b78d2..e79be3645 100644 --- a/spec/lib/formatter_spec.rb +++ b/spec/lib/formatter_spec.rb @@ -332,7 +332,7 @@ RSpec.describe Formatter do end context 'contains malicious classes' do - let(:text) { 'Show more' } + let(:text) { 'Show more' } it 'strips malicious classes' do is_expected.to_not include 'status__content__spoiler-link' -- cgit