From 82655597db6da3e3089b35fdbd25991aa06d1229 Mon Sep 17 00:00:00 2001 From: Yamagishi Kazutoshi Date: Sat, 9 Apr 2022 03:18:20 +0900 Subject: [PATCH 1/3] Add v3.5.x to SECURITY.md (#17998) --- SECURITY.md | 1 + 1 file changed, 1 insertion(+) diff --git a/SECURITY.md b/SECURITY.md index 5531a306e6..12f50ed880 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,6 +12,7 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through | Version | Supported | | ------- | ------------------ | +| 3.5.x | Yes | | 3.4.x | Yes | | 3.3.x | Yes | | < 3.3 | No | From 012537452a1b9087ea085253e8d42fe4129cea42 Mon Sep 17 00:00:00 2001 From: 0x2019 <34298117+single-right-quote@users.noreply.github.com> Date: Fri, 8 Apr 2022 19:21:49 +0000 Subject: [PATCH 2/3] Fix error resposes for `from` search prefix (#17963) * Fix error responses in `from` search prefix (addresses mastodon/mastodon#17941) Using unsupported prefixes now reports a 422; searching for posts from an account the instance is not aware of reports a 404. TODO: The UI for this on the front end is abysmal. Searching `from:username@domain` now succeeds when `domain` is the local domain; searching `from:@username(@domain)?` now works as expected. * Remove unused methods on new Error classes as they are not being used Currently when `raise`d there are error messages being supplied, but this is not actually being used. The associated `raise`s have been edited accordingly. * Remove needless comments * Satisfy rubocop * Try fixing tests being unable to find AccountFindingConcern methods * Satisfy rubocop * Simplify `from` prefix logic This incorporates @ClearlyClaire's suggestion (see https://github.com/mastodon/mastodon/pull/17963#pullrequestreview-933986737). Accepctable account strings in `from:` clauses are more lenient than before this commit; for example, `from:@user@example.org@asnteo +cat` will not error, and return posts by @user@example.org containing the word "cat". This is more consistent with how Mastodon matches mentions in statuses. In addition, `from` clauses will not be checked for syntatically invalid usernames or domain names, simply 404ing when `Account.find_remote!` raises ActiveRecord::NotFound. New code for this PR that is no longer used has been removed. --- app/controllers/api/v2/search_controller.rb | 4 ++++ app/lib/search_query_transformer.rb | 8 ++++---- lib/exceptions.rb | 1 + 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/app/controllers/api/v2/search_controller.rb b/app/controllers/api/v2/search_controller.rb index f17431dd10..a305601333 100644 --- a/app/controllers/api/v2/search_controller.rb +++ b/app/controllers/api/v2/search_controller.rb @@ -11,6 +11,10 @@ class Api::V2::SearchController < Api::BaseController def index @search = Search.new(search_results) render json: @search, serializer: REST::SearchSerializer + rescue Mastodon::SyntaxError + unprocessable_entity + rescue ActiveRecord::RecordNotFound + not_found end private diff --git a/app/lib/search_query_transformer.rb b/app/lib/search_query_transformer.rb index c685d7b6fd..aef05e9d9d 100644 --- a/app/lib/search_query_transformer.rb +++ b/app/lib/search_query_transformer.rb @@ -88,14 +88,14 @@ class SearchQueryTransformer < Parslet::Transform case prefix when 'from' @filter = :account_id - username, domain = term.split('@') - account = Account.find_remote(username, domain) - raise "Account not found: #{term}" unless account + username, domain = term.gsub(/\A@/, '').split('@') + domain = nil if TagManager.instance.local_domain?(domain) + account = Account.find_remote!(username, domain) @term = account.id else - raise "Unknown prefix: #{prefix}" + raise Mastodon::SyntaxError end end end diff --git a/lib/exceptions.rb b/lib/exceptions.rb index eb472abaab..0c677b6605 100644 --- a/lib/exceptions.rb +++ b/lib/exceptions.rb @@ -10,6 +10,7 @@ module Mastodon class StreamValidationError < ValidationError; end class RaceConditionError < Error; end class RateLimitExceededError < Error; end + class SyntaxError < Error; end class UnexpectedResponseError < Error attr_reader :response From ed5491e5de6ede501715c421ad5fa53493f61250 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Fri, 8 Apr 2022 21:57:24 +0200 Subject: [PATCH 3/3] Bump version to 3.5.1 (#18000) --- CHANGELOG.md | 43 +++++++++++++++++++++++++++++++++++++++++ lib/mastodon/version.rb | 2 +- 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dd0ccc5f7f..8814d5a4c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,49 @@ Changelog All notable changes to this project will be documented in this file. +## [3.5.1] - 2022-04-08 +### Added + +- Add pagination for trending statuses in web UI ([Gargron](https://github.com/mastodon/mastodon/pull/17976)) + +### Changed + +- Change e-mail notifications to only be sent when recipient is offline ([Gargron](https://github.com/mastodon/mastodon/pull/17984)) + - Send e-mails for mentions and follows by default again + - But only when recipient does not have push notifications through an app +- Change `website` attribute to be nullable on `Application` entity in REST API ([rinsuki](https://github.com/mastodon/mastodon/pull/17962)) + +### Removed + +- Remove sign-in token authentication, instead send e-mail about new sign-in ([Gargron](https://github.com/mastodon/mastodon/pull/17970)) + - You no longer need to enter a security code sent through e-mail + - Instead you get an e-mail about a new sign-in from an unfamiliar IP address + +### Fixed + +- Fix error resposes for `from` search prefix ([single-right-quote](https://github.com/mastodon/mastodon/pull/17963)) +- Fix dangling language-specific trends ([Gargron](https://github.com/mastodon/mastodon/pull/17997)) +- Fix extremely rare race condition when deleting a status or account ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17994)) +- Fix trends returning less results per page when filtered in REST API ([Gargron](https://github.com/mastodon/mastodon/pull/17996)) +- Fix pagination header on empty trends responses in REST API ([Gargron](https://github.com/mastodon/mastodon/pull/17986)) +- Fix cookies secure flag being set when served over Tor ([Gargron](https://github.com/mastodon/mastodon/pull/17992)) +- Fix migration error handling ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17991)) +- Fix error when re-running some migrations if they get interrupted at the wrong moment ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17989)) +- Fix potentially missing statuses when reconnecting to streaming API in web UI ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17981), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17987), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17980)) +- Fix error when sending warning emails with custom text ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17983)) +- Fix unset `SMTP_RETURN_PATH` environment variable causing e-mail not to send ([Gargron](https://github.com/mastodon/mastodon/pull/17982)) +- Fix possible duplicate statuses in timelines in some edge cases in web UI ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17971)) +- Fix spurious edits and require incoming edits to be explicitly marked as such ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17918)) +- Fix error when encountering invalid pinned statuses ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17964)) +- Fix inconsistency in error handling when removing a status ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17974)) +- Fix admin API unconditionally requiring CSRF token ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17975)) +- Fix trending tags endpoint missing `offset` param in REST API ([Gargron](https://github.com/mastodon/mastodon/pull/17973)) +- Fix unusual number formatting in some locales ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17929)) +- Fix `S3_FORCE_SINGLE_REQUEST` environment variable not working ([HolgerHuo](https://github.com/mastodon/mastodon/pull/17922)) +- Fix failure to build assets with OpenSSL 3 ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17930)) +- Fix PWA manifest using outdated routes ([HolgerHuo](https://github.com/mastodon/mastodon/pull/17921)) +- Fix error when indexing statuses into Elasticsearch ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17912)) + ## [3.5.0] - 2022-03-30 ### Added diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb index 256a3d3b7b..23e164b2e2 100644 --- a/lib/mastodon/version.rb +++ b/lib/mastodon/version.rb @@ -13,7 +13,7 @@ module Mastodon end def patch - 0 + 1 end def flags