Merge upstream changes #1158
Merged
Merge upstream changes #1158
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Remove Salmon and PubSubHubbub endpoints * Add error when trying to follow OStatus accounts * Fix new accounts not being created in ResolveAccountService
* Disable incorrect check for hidden services in Socket Hidden services can only be accessed with an HTTP proxy, in which case the host seen by the Socket class will be the proxy, not the target host. Hidden services are already filtered in `Request#initialize`. * Use our Socket class to connect to HTTP proxies Avoid the timeout logic being bypassed * Add support for IP addresses in Request::Socket * Refactor a bit, no need to keep the DNS resolver around
) * Fix BackupService crashing when an attachment is missing For various reasons such as admin error or out-of-sync media and database backups, it might be possible for local attachments to be lost. This commit allows the BackupService to continue its work even if some media file is missing. * Change error message
Bumps [react-redux](https://github.com/reduxjs/react-redux) from 6.0.1 to 7.1.0. - [Release notes](https://github.com/reduxjs/react-redux/releases) - [Changelog](https://github.com/reduxjs/react-redux/blob/master/CHANGELOG.md) - [Commits](reduxjs/react-redux@v6.0.1...v7.1.0) Signed-off-by: dependabot-preview[bot] <[email protected]>
Bumps [intl-relativeformat](https://github.com/formatjs/formatjs) from 2.2.0 to 6.4.2. - [Release notes](https://github.com/formatjs/formatjs/releases) - [Commits](https://github.com/formatjs/formatjs/compare/[email protected]@6.4.2) Signed-off-by: dependabot-preview[bot] <[email protected]>
Bumps [compression-webpack-plugin](https://github.com/webpack-contrib/compression-webpack-plugin) from 2.0.0 to 3.0.0. - [Release notes](https://github.com/webpack-contrib/compression-webpack-plugin/releases) - [Changelog](https://github.com/webpack-contrib/compression-webpack-plugin/blob/master/CHANGELOG.md) - [Commits](webpack-contrib/compression-webpack-plugin@v2.0.0...v3.0.0) Signed-off-by: dependabot-preview[bot] <[email protected]>
…todon#11254) Bumps [@babel/plugin-proposal-class-properties](https://github.com/babel/babel) from 7.4.4 to 7.5.0. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md) - [Commits](babel/babel@v7.4.4...v7.5.0) Signed-off-by: dependabot-preview[bot] <[email protected]>
Bumps [eslint-plugin-react](https://github.com/yannickcr/eslint-plugin-react) from 7.12.1 to 7.14.2. - [Release notes](https://github.com/yannickcr/eslint-plugin-react/releases) - [Changelog](https://github.com/yannickcr/eslint-plugin-react/blob/master/CHANGELOG.md) - [Commits](jsx-eslint/eslint-plugin-react@v7.12.1...v7.14.2) Signed-off-by: dependabot-preview[bot] <[email protected]>
Bumps [tzinfo-data](https://github.com/tzinfo/tzinfo-data) from 1.2019.1 to 1.2019.2. - [Release notes](https://github.com/tzinfo/tzinfo-data/releases) - [Commits](tzinfo/tzinfo-data@v1.2019.1...v1.2019.2) Signed-off-by: dependabot-preview[bot] <[email protected]>
Bumps [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) from 1.43.0 to 1.45.0. - [Release notes](https://github.com/aws/aws-sdk-ruby/releases) - [Changelog](https://github.com/aws/aws-sdk-ruby/blob/master/gems/aws-sdk-s3/CHANGELOG.md) - [Commits](aws/aws-sdk-ruby@v1.43.0...v1.45.0) Signed-off-by: dependabot-preview[bot] <[email protected]>
Bumps [simplecov](https://github.com/colszowka/simplecov) from 0.16.1 to 0.17.0. - [Release notes](https://github.com/colszowka/simplecov/releases) - [Changelog](https://github.com/colszowka/simplecov/blob/master/CHANGELOG.md) - [Commits](simplecov-ruby/simplecov@v0.16.1...v0.17.0) Signed-off-by: dependabot-preview[bot] <[email protected]>
Bumps [faker](https://github.com/stympy/faker) from 1.9.3 to 1.9.6. - [Release notes](https://github.com/stympy/faker/releases) - [Changelog](https://github.com/stympy/faker/blob/master/CHANGELOG.md) - [Commits](faker-ruby/faker@v1.9.3...1.9.6) Signed-off-by: dependabot-preview[bot] <[email protected]>
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.11 to 4.17.13. **This update includes security fixes.** - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.11...4.17.13) Signed-off-by: dependabot-preview[bot] <[email protected]>
* Add HTTP signature requirement for served ActivityPub resources * Change `SECURE_MODE` to `AUTHORIZED_FETCH` * Add 'Signature' to 'Vary' header and improve code style * Improve code style by adding `public_fetch_mode?` method
* Add a spam check * Use Nilsimsa to generate locality-sensitive hashes and compare using Levenshtein distance * Add more tests * Add exemption when the message is a reply to something that mentions the sender * Use Nilsimsa Compare Value instead of Levenshtein distance * Use MD5 for messages shorter than 10 characters * Add message to automated report, do not add non-public statuses to automated report, add trust level to accounts and make unsilencing raise the trust level to prevent repeated spam checks on that account * Expire spam check data after 3 months * Add support for local statuses, reduce expiration to 1 week, always create a report * Add content warnings to the spam check and exempt empty statuses * Change Nilsimsa threshold to 95 and make sure removed statuses are removed from the spam check * Add all matched statuses into automatic report
There's the source of misunderstanding: I'm saying that "who is calling me" is a broken model. "Who said this thing" is another thing entirely; that's verifying the authenticity of messages. Authentication != authorization, though I know that prevailing paradigms conflate the two. You can see oauth bearer tokens, for instance, as authority without authentication (even if authentication was used to obtain them, and it isn't always). That's the problem: a move from authentication to verify who is saying things to authentication as a form of authorization. I know it isn't obvious that this is a risk, and while there is academic'ish literature out there that explains it, I need to distill what risks we are facing here for an AP-implementor audience (we've done a bit more to explain the general concepts in this episode of Libre Lounge but it isn't "targeted" at the risks to moving to this model for authorization on the fediverse specifically). Anyway, I'm off to write. EDIT: Another source of confusion is that the words "authorization" and "authentication" sound so damn similar in english, leaving me to even mix up the two while trying to explain things in this post. Fixed. |
* Add environment variable to disable the anti-spam * Move antispam setting to admin settings * Fix typo * antispam → spam_check
Bumps [puma](https://github.com/puma/puma) from 3.12.1 to 4.0.1. - [Release notes](https://github.com/puma/puma/releases) - [Changelog](https://github.com/puma/puma/blob/master/History.md) - [Commits](puma/puma@v3.12.1...v4.0.1) Signed-off-by: dependabot-preview[bot] <[email protected]>
Bumps [rubocop-rails](https://github.com/rubocop-hq/rubocop-rails) from 2.2.0 to 2.2.1. - [Release notes](https://github.com/rubocop-hq/rubocop-rails/releases) - [Changelog](https://github.com/rubocop-hq/rubocop-rails/blob/master/CHANGELOG.md) - [Commits](rubocop/rubocop-rails@v2.2.0...v2.2.1) Signed-off-by: dependabot-preview[bot] <[email protected]>
Bumps [rack-attack](https://github.com/kickstarter/rack-attack) from 6.0.0 to 6.1.0. - [Release notes](https://github.com/kickstarter/rack-attack/releases) - [Changelog](https://github.com/kickstarter/rack-attack/blob/master/CHANGELOG.md) - [Commits](rack/rack-attack@v6.0.0...v6.1.0) Signed-off-by: dependabot-preview[bot] <[email protected]>
* Add support for an instance actor * Skip username validation for local Application accounts * Add migration script to create instance actor * Make Codeclimate happy * Switch to id -99 for instance actor * Remove unused `icon` and `image` attributes from instance actor * Use if/elsif/else instead of return + ternary operator * Add instance actor to fresh installs * Use instance actor as instance representative Use instance actor for forwarding reports, relay operations, and spam auto-reporting. * Seed database in test environment * Fix single-user mode * Fix tests * Fix specs to accomodate for an extra `Account` * Auto-reject follows on instance actor Following an instance actor might make sense, but we are not handling that right now, so auto-reject. * Fix webfinger lookup and serialization for instance actor * Rename instance actor * Make it clear in the HTML view that the instance actor should not be blocked * Raise cache time for instance actor as there's no dynamic content * Re-use /about/more with a flash message for instance actor profile
* Add test * Fix code for sanitizing nested lists stripping all tags
* Added logout to dropdown menu * Triggering build-and-test with empty commit as it seems it failed due to some internal failure * Looks fine, ready to review * Added changes from review * method can be null without any problems * Also target can be null
Bumps [strong_migrations](https://github.com/ankane/strong_migrations) from 0.4.0 to 0.4.1. - [Release notes](https://github.com/ankane/strong_migrations/releases) - [Changelog](https://github.com/ankane/strong_migrations/blob/master/CHANGELOG.md) - [Commits](ankane/strong_migrations@v0.4.0...v0.4.1) Signed-off-by: dependabot-preview[bot] <[email protected]>
Conflicts: - Gemfile.lock - app/controllers/accounts_controller.rb - app/controllers/admin/dashboard_controller.rb - app/controllers/follower_accounts_controller.rb - app/controllers/following_accounts_controller.rb - app/controllers/remote_follow_controller.rb - app/controllers/stream_entries_controller.rb - app/controllers/tags_controller.rb - app/javascript/packs/public.js - app/lib/sanitize_config.rb - app/models/account.rb - app/models/form/admin_settings.rb - app/models/media_attachment.rb - app/models/stream_entry.rb - app/models/user.rb - app/serializers/initial_state_serializer.rb - app/services/batched_remove_status_service.rb - app/services/post_status_service.rb - app/services/process_mentions_service.rb - app/services/reblog_service.rb - app/services/remove_status_service.rb - app/views/admin/settings/edit.html.haml - config/locales/simple_form.pl.yml - config/settings.yml - docker-compose.yml
…/:id` Port SCSS changes from b851456 to glitch-soc Signed-off-by: Thibaut Girka <[email protected]>
ClearlyClaire
force-pushed
the
glitch-soc/merge-upstream
branch
from
7349c13 to
bf3ab44
Compare
Port SCSS changes from 730c405 Signed-off-by: Thibaut Girka <[email protected]>
ClearlyClaire
force-pushed
the
glitch-soc/merge-upstream
branch
from
c2779eb to
3407ae8
Compare
* Add spec covering numeric-only hashtags * Fix hashtag regex
|
Upstream now signs fetch requests with a dedicated actor not representing an user in particular, and the anti-spam can be disabled from the admin interface. Therefore, I am ready to merge this into glitch-soc. The code for requiring authentication for fetches is here and can be enabled, but its use is not encouraged nor documented. I don't think having it in changes anything wrt. our ability to switch to an ocap-based approach when that starts being sufficiently well specified. |
atsu1125
pushed a commit
to atsu1125/mastodon
that referenced
this pull request
Sep 19, 2022
We were rendering an escaped version of the SVG in this template where we should have been rendering the SVG itself. Fixes glitch-soc#1158.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A lot of upstream changes, the most disruptive being:
It is currently not optional.It can be disabled from the admin settings.the representative account (that is, the contact account if it is defined, the first non-suspended local account in the database otherwise)a dedicated instance actor