asonix/mastodon
1
1
Fork 1
Code Issues Pull requests Projects Releases Wiki Activity

v3.4.5-branch #1

Merged
asonix merged 60 commits from v3.4.5-branch into asonix/changes 2022-01-31 18:33:23 +00:00
Conversation 0 Commits 60 Files changed 154 +2828 -2132
asonix commented 2022-01-31 18:31:10 +00:00
Owner
Copy link

warning Mastodon v3.3.2 and v3.4.6 will be released on Thursday, February 3rd, between 13:00 and 15:00 UTC, fixing a variety of bugs, including a critical security issue.
To make applying the fixes easier, you can prepare by updating to Mastodon v3.4.5 (or v3.3.1), as migrating from this bugfix release will require no dependency update, no database migration and no assets compilation.

Changelog

Added

  • Add more advanced migration tests (ClearlyClaire)
  • Add github workflow to build Docker images (unasuke, Gargron, Gargron)

Fixed

  • Fix some old migrations failing when skipping releases (ClearlyClaire)
  • Fix migrations script failing in certain edge cases (ClearlyClaire)
  • Fix Docker build (tribela)
  • Fix Ruby 3.0 dependencies (ClearlyClaire)
  • Fix followers synchronization mechanism (ClearlyClaire)

Upgrade notes

Because this is a backport, it is not available with git pull. Use git fetch && git checkout v3.4.5

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Dependencies

External dependencies have not changed compared to v3.4.4, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

  • Ruby: 2.5 to 3.1
  • PostgreSQL: 9.5 or newer
  • Elasticsearch (optional, for full-text search): 5.x, 6.x or 7.x
  • Redis: 4 or newer
  • Node: 12 or higher

Update steps

Non-Docker

  1. Pull the code: git fetch && git checkout v3.4.5
  2. Install dependencies: bundle install and yarn install

Docker

The exact steps depend on your setup, but they are likely to match the following:

  1. Pull the code: git fetch && git checkout v3.4.5
  2. Pull the prebuilt images: docker-compose pull, or, alternatively, build them yourself: docker-compose build --pull
  3. Restart all Mastodon processes: docker-compose up -d

Both Docker and non-Docker:

  1. Run the database migrations:
    • Non-Docker: RAILS_ENV=production bundle exec rails db:migrate
    • Docker: docker-compose run --rm web rails db:migrate
  2. Precompile the assets:
    • Non-Docker: RAILS_ENV=production bundle exec rails assets:precompile
    • Docker: The assets are already precompiled during the build step
  3. Restart all Mastodon processes
> warning Mastodon v3.3.2 and v3.4.6 will be released on Thursday, February 3rd, between 13:00 and 15:00 UTC, fixing a variety of bugs, including a critical security issue. > To make applying the fixes easier, you can prepare by updating to Mastodon v3.4.5 (or v3.3.1), as migrating from this bugfix release will require no dependency update, no database migration and no assets compilation. ## Changelog ### Added - Add more advanced migration tests (ClearlyClaire) - Add github workflow to build Docker images (unasuke, Gargron, Gargron) ### Fixed - Fix some old migrations failing when skipping releases (ClearlyClaire) - Fix migrations script failing in certain edge cases (ClearlyClaire) - Fix Docker build (tribela) - Fix Ruby 3.0 dependencies (ClearlyClaire) - Fix followers synchronization mechanism (ClearlyClaire) ## Upgrade notes Because this is a backport, it is not available with `git pull`. Use `git fetch && git checkout v3.4.5` > As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: `docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump` ### Dependencies External dependencies have not changed compared to v3.4.4, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is: - Ruby: 2.5 to 3.1 - PostgreSQL: 9.5 or newer - Elasticsearch (optional, for full-text search): 5.x, 6.x or 7.x - Redis: 4 or newer - Node: 12 or higher ### Update steps ### Non-Docker 1. Pull the code: `git fetch && git checkout v3.4.5` 2. Install dependencies: `bundle install and yarn install` ### Docker The exact steps depend on your setup, but they are likely to match the following: 1. Pull the code: `git fetch && git checkout v3.4.5` 2. Pull the prebuilt images: `docker-compose pull`, or, alternatively, build them yourself: `docker-compose build --pull` 3. Restart all Mastodon processes: `docker-compose up -d` ### Both Docker and non-Docker: 1. Run the database migrations: - Non-Docker: `RAILS_ENV=production bundle exec rails db:migrate` - Docker: `docker-compose run --rm web rails db:migrate` 2. Precompile the assets: - Non-Docker: `RAILS_ENV=production bundle exec rails assets:precompile` - Docker: The assets are already precompiled during the build step 3. Restart all Mastodon processes
asonix added 60 commits 2022-01-31 18:31:12 +00:00
e62f488be5 Fix newlines in accout notes added by the Move handler (#16415) 
* Fix newlines in account notes added by the move handler

* Make MoveWorker more robust
4f852448e1 Fix crash when encountering invalid account fields (#16598) 
* Add test

* Fix crash when encountering invalid account fields
f51c6cba1f Fix remotely-suspended accounts' toots being merged back into timelines (#16628) 
* Fix remotely-suspended accounts' toots being merged back into timelines

* Mark remotely-deleted accounts as remotely suspended
2688f18d06 Fix authentication failures after going halfway through a sign-in attempt (#16607) 
* Add tests

* Add security-related tests

My first (unpublished) attempt at fixing the issues introduced (extremely
hard-to-exploit) security vulnerabilities, addressing them in a test.

* Fix authentication failures after going halfway through a sign-in attempt

* Refactor `authenticate_with_sign_in_token` and `authenticate_with_two_factor` to make the two authentication steps more obvious
663b58aaae use relative path for scope (#16714) 
Use relative path for `scope` in web manifest to allow users use PWA correctly via alternate domains.
2396c9061a Fix webauthn secure key authentication (#16792) 
* Add tests

* Fix webauthn secure key authentication

Fixes #16769
e63370db19 Fix scheduled statuses decreasing statuses counts (#16791) 
* Add tests

* Fix scheduled statuses decreasing statuses counts

Fixes #16774
123a88b6b5 Fix some link previews being incorrectly generated from other prior links (#16885) 
* Add tests

* Fix some link previews being incorrectly generated from different prior links

PR #12403 added a cache to avoid redundant queries when the OEmbed endpoint can
be guessed from the URL. This caching mechanism is not perfectly correct as
there is no guarantee that all pages from a given domain share the same
OEmbed provider endpoint.

This PR prevents the FetchOEmbedService from caching OEmbed endpoint that
cannot be generalized by replacing a fully-qualified URL from the endpoint's
parameters, greatly reducing the number of incorrect cached generalizations.
aa828aea02 Fix mastodon:setup to take dotenv/docker-compose differences into account (#16896) 
In order to work around https://github.com/mastodon/mastodon/issues/16895,
add a warning to .env.production.sample, and change the mastodon:setup rake
task to:
- output a warning if a variable will be interpreted differently by dotenv
  and docker-compose
- ensure the printed config is compatible with docker-compose
d5a50e9dfb Add configuration attribute to GET /api/v1/instance (#16485) 
List various values like file size limits and supported mime types
9b34647c9b Fix followers synchronization mechanism not working when URI has empty path (#16744) 
Follow-up to #16510, forgot the controller exposing the actual followers…
e40d5414cc Fix crashes with Microsoft Translate on Microsoft Edge (#16525) 
Fixes #16509

Microsoft Edge with translation enabled rewrites the DOM in ways that confuse
react and prevent it from working properly. Wrapping the offending parts in
a span avoids this issue.
a1e5ff04e3 Fix tootctl self-destruct not sending Delete activities for recently-suspended accounts (#16688) 
* Do not block existing users' emails on self-destruct

That is wasteful and unintuitive

* Do not close registrations when running tootctl self-destruct with --dry-run

* Close registrations on self-destruct regardless of known remote accounts

* Fix tootctl self-destruct not sending Deletes for recently-suspended accounts

* Suspend local users even if no remote account is known

* Do not show scary confirmation text if ran with --dry-run
9a468c895b Fix inefficiencies in auto-linking code (#16506) 
The auto-linking code basically rewrote the whole string escaping non-ascii
characters in an inefficient way, and building a full character offset map
between the unescaped and escaped texts before sending the contents to
TwitterText's extractor.

Instead of doing that, this commit changes the TwitterText regexps to include
valid IRI characters in addition to valid URI characters.
aebcb722aa Fix serialization of followers/following counts when user hides their network (#16418) 
* Add tests

* Fix serialization of followers/following counts when user hides their network

Fixes #16382

Signed-off-by: Claire <claire.github-309c@sitedethib.com>
34ab4111a7 Fix WebUI crash when a toot with a playing video gets deleted (#16384) 
* Fix WebUI crash when a toot with a playing video gets deleted

* Fix pop-up player not closing the moment a status is deleted
4bc1fde105 Fix anonymous access to outbox not being cached by the reverse proxy (#16458) 
* Fix anonymous access to outbox not being cached by the reverse proxy

Up until now, anonymous access to outbox was marked as public, but with a
0 duration for caching, which means remote proxies would only serve from cache
when the server was completely overwhelmed.

Changed that cache duration to one minute, so that repeated anonymous access
to one account's outbox can be appropriately cached.

Also added `Signature` to the `Vary` header in case a page is requested, so
that authenticated fetches are never served from cache (which only contains
public toots).

* Remove Vary: Accept header from webfinger controller

Indeed, we have stopped returning xrd, and only ever return jrd, so the
Accept request header does not matter anymore.

* Cache negative webfinger hits for 3 minutes
c79d4711e9 Change references to tootsuite/mastodon to mastodon/mastodon (#16491) 
* Change references to tootsuite/mastodon to mastodon/mastodon

* Remove obsolete test fixture

* Replace occurrences of tootsuite/mastodon with mastodon/mastodon in CHANGELOG

And a few other places
986397b3a2 Improve modal flow and back button handling (#16499) 
* Refactor shouldUpdateScroll passing

So far, shouldUpdateScroll has been manually passed down from the very top of
the React component hierarchy even though it is a static function common to
all ScrollContainer instances, so replaced that with a custom class extending
ScrollContainer.

* Generalize “press back to close modal” to any modal and to public pages

* Fix boost confirmation modal closing media modal
c3a6f7b941 Fix user email address being banned on self-deletion (#16503) 
* Add tests

* Fix user email address being banned on self-deletion

Fixes #16498
3251b8eead Fix reviving revoked sessions and invalidating login (#16943) 
Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.

We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.

In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
  of them

This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues.
77d0297313 Fix replying from modal (#16516) 
Fixes #16515

Not using a router object somehow made `this.history` lag behind the real
browser history whenever pushing a new history item in `replyCompose`.

Not using the context-provided router in this case was an oversight made
when porting glitch-soc changes in #16499.
e65ede1ac5 Fix upload of remote media with OpenStack Swift sometimes failing (#16998) 
Under certain conditions, files fetched from remotes trigger an error when
being uploaded using OpenStack Swift. This is because in some cases, the
remote server will not return a content-length, so our ResponseWithLimitAdapter
will hold a `nil` value for `#size`, which will lead to an invalid value
for the Content-Length header of the Swift API call.

This commit fixes that by taking the size from the actually-downloaded file
size rather than the upstream-provided Content-Length header value.
22cd1e6ab5 Fix confusing error when webfinger request returns empty document (#16986) 
For some reason, some misconfigured servers return an empty document when
queried over webfinger. Since an empty document does not lead to a parse
error, the error is not caught properly and triggers uncaught exceptions
later on.

This PR fixes that by immediately erroring out with `Webfinger::Error` on
getting an empty response.
3c18311d86 Fix error when suspending user with an already-existing canonical email block (#17036) 
* Fix error when suspending user with an already-existing canonical email block

Fixes #17033

While attempting to create a `CanonicalEmailBlock` with an existing hash would
raise an `ActiveRecord::RecordNotUnique` error, this being done within a
transaction would cancel the whole transaction. For this reason, checking for
uniqueness in Rails would query the database within the transaction and avoid
invalidating the whole transaction for this reason.

A race condition is still possible, where multiple accounts sharing a canonical
email would be blocked in concurrent transactions, in which only one would
succeed, but that is way less likely to happen that the current issue, and can
always be retried after the first failure, unlike the current situation.

* Add tests
b782f86b51 Fix some old migration scripts (#17394) 
* Fix some old migration scripts

* Fix edge case in two-step migration from older releases
959234c1e4 Save bundle config as local (#17188) 
Some bundle options are saved as global user config and not project local.
Specially, `deployment` must be saved as local config to be run on copied environment
0ae91e45de Build container image by GitHub Actions (#16973) 
* Build container image by GitHub Actions

* Trigger docker build only pushed to main branch

* Tweak tagging imgae

- "edge" is the main branch
- "latest" is the tagged latest release
03f0e98b32 Fix followers synchronization mechanism not working when URI has empty path (#16510) 
* Fix followers synchronization mechanism not working when URI has empty path

To my knowledge, there is no current implementation on the fediverse
that can use bare domains (e.g., actor is at https://example.org instead of
something like https://example.org/actor) that also plans to support the
followers synchronization mechanism. However, Mastodon's current implementation
would exclude such accounts from followers list.

Also adds tests and rename them to reflect the proper method names.

* Move url prefix regexp to its own constant
d722222fe1 Add more advanced migration tests (#17393) 
- populate the database with some data when testing migrations
- try both one-step and two-step migrations (`SKIP_POST_DEPLOYMENT_MIGRATIONS`)
asonix merged commit 2485f6604d into asonix/changes 2022-01-31 18:33:23 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: asonix/mastodon#1
No description provided.
Delete branch "v3.4.5-branch"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?