From bd220c32f162230d31e99bdabd30aea787a89cfc Mon Sep 17 00:00:00 2001 From: Yamagishi Kazutoshi Date: Mon, 7 Nov 2022 00:13:53 +0900 Subject: [PATCH 01/10] Update SECURITY.md (#19869) --- SECURITY.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 9a72f3640b..d2543b18d6 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -10,9 +10,8 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through ## Supported Versions -| Version | Supported | -| ------- | ------------------ | -| 3.5.x | Yes | -| 3.4.x | Yes | -| 3.3.x | No | -| < 3.3 | No | +| Version | Supported | +| ------- | ----------| +| 4.0.x | Yes | +| 3.5.x | Yes | +| < 3.5 | No | From e53fc34e9abd8d6d3a0907fea2d0f657c5e8666c Mon Sep 17 00:00:00 2001 From: rcombs Date: Sun, 6 Nov 2022 20:16:10 -0600 Subject: [PATCH 02/10] Set autocomplete attr for email field on signup page (#19833) The email address will be used as the "username" for sign-in purposes, so it's the value that should be stored in password managers. We can inform the password manager of this by setting `autocomplete="email"`. Without this hint, password managers may instead store the `username` field, which isn't valid for sign-in (this happens with iCloud Keychain in Safari, for instance). --- app/views/auth/registrations/new.html.haml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/views/auth/registrations/new.html.haml b/app/views/auth/registrations/new.html.haml index 5eb3f937c3..b1d52dd0c2 100644 --- a/app/views/auth/registrations/new.html.haml +++ b/app/views/auth/registrations/new.html.haml @@ -19,7 +19,7 @@ = f.simple_fields_for :account do |ff| = ff.input :display_name, wrapper: :with_label, label: false, required: false, input_html: { 'aria-label' => t('simple_form.labels.defaults.display_name'), :autocomplete => 'off', placeholder: t('simple_form.labels.defaults.display_name') } = ff.input :username, wrapper: :with_label, label: false, required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.username'), :autocomplete => 'off', placeholder: t('simple_form.labels.defaults.username'), pattern: '[a-zA-Z0-9_]+', maxlength: 30 }, append: "@#{site_hostname}", hint: false - = f.input :email, placeholder: t('simple_form.labels.defaults.email'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.email'), :autocomplete => 'off' }, hint: false + = f.input :email, placeholder: t('simple_form.labels.defaults.email'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.email'), :autocomplete => 'username' }, hint: false = f.input :password, placeholder: t('simple_form.labels.defaults.password'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.password'), :autocomplete => 'new-password', :minlength => User.password_length.first, :maxlength => User.password_length.last }, hint: false = f.input :password_confirmation, placeholder: t('simple_form.labels.defaults.confirm_password'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.confirm_password'), :autocomplete => 'new-password' }, hint: false = f.input :confirm_password, as: :string, placeholder: t('simple_form.labels.defaults.honeypot', label: t('simple_form.labels.defaults.password')), required: false, input_html: { 'aria-label' => t('simple_form.labels.defaults.honeypot', label: t('simple_form.labels.defaults.password')), :autocomplete => 'off' }, hint: false From 8c81db5a415cce3491cb5d343709db552ad262b6 Mon Sep 17 00:00:00 2001 From: Rob Petti Date: Sun, 6 Nov 2022 19:16:44 -0700 Subject: [PATCH 03/10] allow /api/v1/streaming to be used as per documentation (#19896) --- dist/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dist/nginx.conf b/dist/nginx.conf index 716c277dd0..5c16693d08 100644 --- a/dist/nginx.conf +++ b/dist/nginx.conf @@ -112,7 +112,7 @@ server { try_files $uri =404; } - location ^~ /api/v1/streaming/ { + location ^~ /api/v1/streaming { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; From 54f0f1b9efa73166d5d1dfb475b71111e2a5f2ed Mon Sep 17 00:00:00 2001 From: nightpool Date: Sun, 6 Nov 2022 21:31:38 -0500 Subject: [PATCH 04/10] Skip Webfinger cache during migrations as well (#19883) --- app/models/account_migration.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/account_migration.rb b/app/models/account_migration.rb index 06291c9f31..16276158d7 100644 --- a/app/models/account_migration.rb +++ b/app/models/account_migration.rb @@ -58,7 +58,7 @@ class AccountMigration < ApplicationRecord private def set_target_account - self.target_account = ResolveAccountService.new.call(acct) + self.target_account = ResolveAccountService.new.call(acct, skip_cache: true) rescue Webfinger::Error, HTTP::Error, OpenSSL::SSL::SSLError, Mastodon::Error # Validation will take care of it end From 4cb23234580b12750940f60afc4a2bbace8347e9 Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 7 Nov 2022 03:38:53 +0100 Subject: [PATCH 05/10] Fix crash in legacy filter creation controller (#19878) --- app/controllers/api/v1/filters_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/api/v1/filters_controller.rb b/app/controllers/api/v1/filters_controller.rb index 07cd141478..149139b40a 100644 --- a/app/controllers/api/v1/filters_controller.rb +++ b/app/controllers/api/v1/filters_controller.rb @@ -52,7 +52,7 @@ class Api::V1::FiltersController < Api::BaseController end def resource_params - params.permit(:phrase, :expires_in, :irreversible, :whole_word, context: []) + params.permit(:phrase, :expires_in, :irreversible, context: []) end def filter_params From 34c269310d2017c3164d57c1e8631f9423092ee3 Mon Sep 17 00:00:00 2001 From: Sunny Ripert Date: Mon, 7 Nov 2022 03:39:48 +0100 Subject: [PATCH 06/10] Fix console log error on column settings load (#19886) --- .../features/notifications/components/column_settings.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/javascript/mastodon/features/notifications/components/column_settings.js b/app/javascript/mastodon/features/notifications/components/column_settings.js index d75fa8a02f..a38f8d3c2d 100644 --- a/app/javascript/mastodon/features/notifications/components/column_settings.js +++ b/app/javascript/mastodon/features/notifications/components/column_settings.js @@ -21,7 +21,7 @@ export default class ColumnSettings extends React.PureComponent { onRequestNotificationPermission: PropTypes.func, alertsEnabled: PropTypes.bool, browserSupport: PropTypes.bool, - browserPermission: PropTypes.bool, + browserPermission: PropTypes.string, }; onPushChange = (path, checked) => { From ffe735344bb47ad2af743ad97729db9ea9c11f60 Mon Sep 17 00:00:00 2001 From: Sunny Ripert Date: Mon, 7 Nov 2022 03:40:04 +0100 Subject: [PATCH 07/10] Fix JavaScript console error on Getting Started column (#19891) * Fix JavaScript console error on Getting Started column * Update app/javascript/mastodon/components/column_header.js Co-authored-by: Ilias Tsangaris Co-authored-by: Ilias Tsangaris --- app/javascript/mastodon/components/column_header.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/javascript/mastodon/components/column_header.js b/app/javascript/mastodon/components/column_header.js index 5b2e166276..43efa179e2 100644 --- a/app/javascript/mastodon/components/column_header.js +++ b/app/javascript/mastodon/components/column_header.js @@ -57,7 +57,7 @@ class ColumnHeader extends React.PureComponent { } handleTitleClick = () => { - this.props.onClick(); + this.props.onClick?.(); } handleMoveLeft = () => { From 02a34252ba21a405e3960da4b65c15a2c8d952f2 Mon Sep 17 00:00:00 2001 From: Jeremy Kescher Date: Mon, 7 Nov 2022 02:40:17 +0000 Subject: [PATCH 08/10] Add null check on application in dispute viewer (#19851) --- app/views/disputes/strikes/show.html.haml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/app/views/disputes/strikes/show.html.haml b/app/views/disputes/strikes/show.html.haml index 1be50331a4..4a3005f72a 100644 --- a/app/views/disputes/strikes/show.html.haml +++ b/app/views/disputes/strikes/show.html.haml @@ -59,8 +59,9 @@ = media_attachment.file_file_name .strike-card__statuses-list__item__meta %time.formatted{ datetime: status.created_at.iso8601, title: l(status.created_at) }= l(status.created_at) - · - = status.application.name + - unless status.application.nil? + · + = status.application.name - else .one-liner= t('disputes.strikes.status', id: status_id) .strike-card__statuses-list__item__meta From 4b7f32a2a668b7068ede7ac8eb2ac087883ba213 Mon Sep 17 00:00:00 2001 From: Sunny Ripert Date: Mon, 7 Nov 2022 03:40:54 +0100 Subject: [PATCH 09/10] Fix double button to clear emoji search input (#19888) --- app/javascript/styles/mastodon/emoji_picker.scss | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/app/javascript/styles/mastodon/emoji_picker.scss b/app/javascript/styles/mastodon/emoji_picker.scss index e4ec96d89f..1042ddda89 100644 --- a/app/javascript/styles/mastodon/emoji_picker.scss +++ b/app/javascript/styles/mastodon/emoji_picker.scss @@ -132,6 +132,10 @@ &:active { outline: 0 !important; } + + &::-webkit-search-cancel-button { + display: none; + } } } From a70e2cd649cbd82d534f03202fb3078a4ae1af1d Mon Sep 17 00:00:00 2001 From: Chris Rose Date: Sun, 6 Nov 2022 18:57:16 -0800 Subject: [PATCH 10/10] Tag the OTP field with autocomplete for password managers (#19946) This is modeled on #19833, and based on the attribute values documented in https://developer.apple.com/documentation/security/password_autofill/enabling_password_autofill_on_an_html_input_element?language=objc --- .../auth/sessions/two_factor/_otp_authentication_form.html.haml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/views/auth/sessions/two_factor/_otp_authentication_form.html.haml b/app/views/auth/sessions/two_factor/_otp_authentication_form.html.haml index ab2d48c0a3..82f9575275 100644 --- a/app/views/auth/sessions/two_factor/_otp_authentication_form.html.haml +++ b/app/views/auth/sessions/two_factor/_otp_authentication_form.html.haml @@ -5,7 +5,7 @@ %p.hint.authentication-hint= t('simple_form.hints.sessions.otp') .fields-group - = f.input :otp_attempt, type: :number, wrapper: :with_label, label: t('simple_form.labels.defaults.otp_attempt'), input_html: { 'aria-label' => t('simple_form.labels.defaults.otp_attempt'), :autocomplete => 'off' }, autofocus: true + = f.input :otp_attempt, type: :number, wrapper: :with_label, label: t('simple_form.labels.defaults.otp_attempt'), input_html: { 'aria-label' => t('simple_form.labels.defaults.otp_attempt'), :autocomplete => 'one-time-code' }, autofocus: true .actions = f.button :button, t('auth.login'), type: :submit