v3.4.6-branch #2

Merged

asonix merged 11 commits from v3.4.6-branch into asonix/changes 2022-02-03 15:06:47 +00:00

Conversation 0 Commits 11 Files changed 18 +408 -204

asonix commented 2022-02-03 15:06:18 +00:00

Owner

Copy link

Upgrade notes

Because this is a backport, it is not available with git pull. Use git fetch && git checkout v3.4.6

As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump

Dependencies

External dependencies have not changed compared to v3.4.5, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

• Ruby: 2.5 to 3.1
• PostgreSQL: 9.5 or newer
• Elasticsearch (optional, for full-text search): 5.x, 6.x or 7.x
• Redis: 4 or newer
• Node: 12 or higher

Update steps

The following instructions are for updating from 3.4.5.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

Non-Docker

1. Pull the code: git fetch && git checkout v3.4.6
2. Restart mastodon-web and mastodon-sidekiq:

• systemctl reload mastodon-web
• systemctl restart mastodon-sidekiq

Docker

The exact steps depend on your setup, but they are likely to match the following:

1. Pull the code: git fetch && git checkout v3.4.6
2. Pull the prebuilt images: docker-compose pull, or, alternatively, build them yourself: docker-compose build --pull
3. Restart all Mastodon processes: docker-compose up -d

## Upgrade notes Because this is a backport, it is not available with `git pull`. Use `git fetch && git checkout v3.4.6` > As always, make sure you have backups of the database before performing any upgrades. If you are using docker-compose, this is how a backup command might look: `docker exec mastodon_db_1 pg_dump -Fc -U postgres postgres > name_of_the_backup.dump` ### Dependencies External dependencies have not changed compared to v3.4.5, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is: - Ruby: 2.5 to 3.1 - PostgreSQL: 9.5 or newer - Elasticsearch (optional, for full-text search): 5.x, 6.x or 7.x - Redis: 4 or newer - Node: 12 or higher ### Update steps The following instructions are for updating from 3.4.5. If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations. #### Non-Docker 1. Pull the code: `git fetch && git checkout v3.4.6` 2. Restart mastodon-web and mastodon-sidekiq: - `systemctl reload mastodon-web` - `systemctl restart mastodon-sidekiq` #### Docker The exact steps depend on your setup, but they are likely to match the following: 1. Pull the code: `git fetch && git checkout v3.4.6` 2. Pull the prebuilt images: `docker-compose pull`, or, alternatively, build them yourself: `docker-compose build --pull` 3. Restart all Mastodon processes: `docker-compose up -d`

asonix added 11 commits 2022-02-03 15:06:20 +00:00

6d831fe274

Fix spurious errors when receiving an Add activity for a private post (#17425)

c8dbbd60eb Fix error-prone SQL queries (#15828) ...

* Fix error-prone SQL queries in Account search

While this code seems to not present an actual vulnerability, one could
easily be introduced by mistake due to how the query is built.

This PR parameterises the `to_tsquery` input to make the query more robust.

* Harden code for Status#tagged_with_all and Status#tagged_with_none

Those two scopes aren't used in a way that could be vulnerable to an SQL
injection, but keeping them unchanged might be a hazard.

* Remove unneeded spaces surrounding tsquery term

* Please CodeClimate

* Move advanced_search_for SQL template to its own function

This avoids one level of indentation while making clearer that the SQL template
isn't build from all the dynamic parameters of advanced_search_for.

* Add tests covering tagged_with, tagged_with_all and tagged_with_none

* Rewrite tagged_with_none to avoid multiple joins and make it more robust

* Remove obsolete brakeman warnings

* Revert "Remove unneeded spaces surrounding tsquery term"

The two queries are not strictly equivalent.

This reverts commit 86f16c537e06c6ba4a8b250f25dcce9f049023ff.

fe0210074f Compact JSON-LD signed incoming activities

e2009ced3a Fix compacted JSON-LD possibly causing compatibility issues on forwarding

b27f50da5a Fix insufficient sanitization of report comments

df68d2eab8 Fix response_to_recipient? CTE

bf005edd30 Change mastodon:webpush:generate_vapid_key task to not require functional env (#17338) ...

Fixes #17297

a06dda41d0 disable legacy XSS filtering (#17289) ...

Browsers are phasing out X-XSS-Protection, but Safari and IE still support it.

bb7b2868a0 Bump version to 3.4.6

93a6c143af

Fix insufficient sanitization of report comments (#17430)

4dd6282271 Merge branch 'asonix/changes' into v3.4.6-branch

asonix merged commit 9967454486 into asonix/changes 2022-02-03 15:06:47 +00:00

asonix referenced this pull request from a commit 2022-02-03 15:06:47 +00:00

Merge pull request 'v3.4.6-branch' (#2) from v3.4.6-branch into asonix/changes

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: asonix/mastodon#2

No description provided.