Merge branch 'hotfix-0.9.99999'
This commit is contained in:
commit
e2c72e5390
22
CHANGELOG.md
22
CHANGELOG.md
|
@ -1,4 +1,26 @@
|
|||
# Changelog
|
||||
=======
|
||||
All notable changes to this project will be documented in this file.
|
||||
|
||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||
## [0.9.99999] - 2019-05-31
|
||||
### Security
|
||||
- Mastodon API: Fix lists leaking private posts
|
||||
- HTML escaping: Lock down allowed class attributes to only those related to microformats
|
||||
|
||||
## [0.9.9999] - 2019-04-05
|
||||
### Security
|
||||
- Mastodon API: Fix content warnings skipping HTML sanitization
|
||||
|
||||
## [0.9.999] - 2019-03-13
|
||||
Frontend changes only.
|
||||
### Added
|
||||
- Added floating action button for posting status on mobile
|
||||
### Changed
|
||||
- Changed user-settings icon to a pencil
|
||||
### Fixed
|
||||
- Keyboard shortcuts activating when typing a message
|
||||
- Gaps when scrolling down on a timeline after showing new
|
||||
|
||||
## [0.9.99] - 2019-03-08
|
||||
### Changed
|
||||
|
|
|
@ -23,7 +23,7 @@ Client applications that are known to work well:
|
|||
* Tootle (iOS, No Streaming)
|
||||
* Whalebird (Windows + Mac + Linux)
|
||||
|
||||
This is the 0.9.9999 release.
|
||||
This is the 0.9.99999 release.
|
||||
|
||||
If you want to run your own server, feel free to contact us in our dev chat at #pleroma on freenode or via matrix at <https://matrix.heldscal.la/#/room/#freenode_#pleroma:matrix.org>.
|
||||
|
||||
|
|
|
@ -94,14 +94,31 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
|
|||
|
||||
# links
|
||||
Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
|
||||
Meta.allow_tag_with_these_attributes("a", ["name", "title", "class"])
|
||||
|
||||
Meta.allow_tag_with_this_attribute_values("a", "class", [
|
||||
"hashtag",
|
||||
"u-url",
|
||||
"mention",
|
||||
"u-url mention",
|
||||
"mention u-url"
|
||||
])
|
||||
|
||||
Meta.allow_tag_with_this_attribute_values("a", "rel", [
|
||||
"tag",
|
||||
"nofollow",
|
||||
"noopener",
|
||||
"noreferrer"
|
||||
])
|
||||
|
||||
Meta.allow_tag_with_these_attributes("a", ["name", "title"])
|
||||
|
||||
# paragraphs and linebreaks
|
||||
Meta.allow_tag_with_these_attributes("br", [])
|
||||
Meta.allow_tag_with_these_attributes("p", [])
|
||||
|
||||
# microformats
|
||||
Meta.allow_tag_with_these_attributes("span", ["class"])
|
||||
Meta.allow_tag_with_this_attribute_values("span", "class", ["h-card"])
|
||||
Meta.allow_tag_with_these_attributes("span", [])
|
||||
|
||||
# allow inline images for custom emoji
|
||||
@allow_inline_images Keyword.get(@markup, :allow_inline_images)
|
||||
|
@ -135,7 +152,23 @@ defmodule Pleroma.HTML.Scrubber.Default do
|
|||
Meta.strip_comments()
|
||||
|
||||
Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
|
||||
Meta.allow_tag_with_these_attributes("a", ["name", "title", "class"])
|
||||
|
||||
Meta.allow_tag_with_this_attribute_values("a", "class", [
|
||||
"hashtag",
|
||||
"u-url",
|
||||
"mention",
|
||||
"u-url mention",
|
||||
"mention u-url"
|
||||
])
|
||||
|
||||
Meta.allow_tag_with_this_attribute_values("a", "rel", [
|
||||
"tag",
|
||||
"nofollow",
|
||||
"noopener",
|
||||
"noreferrer"
|
||||
])
|
||||
|
||||
Meta.allow_tag_with_these_attributes("a", ["name", "title"])
|
||||
|
||||
Meta.allow_tag_with_these_attributes("abbr", ["title"])
|
||||
|
||||
|
@ -150,11 +183,13 @@ defmodule Pleroma.HTML.Scrubber.Default do
|
|||
Meta.allow_tag_with_these_attributes("ol", [])
|
||||
Meta.allow_tag_with_these_attributes("p", [])
|
||||
Meta.allow_tag_with_these_attributes("pre", [])
|
||||
Meta.allow_tag_with_these_attributes("span", ["class"])
|
||||
Meta.allow_tag_with_these_attributes("strong", [])
|
||||
Meta.allow_tag_with_these_attributes("u", [])
|
||||
Meta.allow_tag_with_these_attributes("ul", [])
|
||||
|
||||
Meta.allow_tag_with_this_attribute_values("span", "class", ["h-card"])
|
||||
Meta.allow_tag_with_these_attributes("span", [])
|
||||
|
||||
@allow_inline_images Keyword.get(@markup, :allow_inline_images)
|
||||
|
||||
if @allow_inline_images do
|
||||
|
|
|
@ -466,20 +466,6 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
|
|||
|
||||
defp restrict_tag(query, _), do: query
|
||||
|
||||
defp restrict_to_cc(query, recipients_to, recipients_cc) do
|
||||
from(
|
||||
activity in query,
|
||||
where:
|
||||
fragment(
|
||||
"(?->'to' \\?| ?) or (?->'cc' \\?| ?)",
|
||||
activity.data,
|
||||
^recipients_to,
|
||||
activity.data,
|
||||
^recipients_cc
|
||||
)
|
||||
)
|
||||
end
|
||||
|
||||
defp restrict_recipients(query, [], _user), do: query
|
||||
|
||||
defp restrict_recipients(query, recipients, nil) do
|
||||
|
@ -629,9 +615,18 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
|
|||
|> Enum.reverse()
|
||||
end
|
||||
|
||||
def fetch_activities_bounded(recipients_to, recipients_cc, opts \\ %{}) do
|
||||
def fetch_activities_bounded_query(query, recipients, recipients_with_public) do
|
||||
from(activity in query,
|
||||
where:
|
||||
fragment("? && ?", activity.recipients, ^recipients) or
|
||||
(fragment("? && ?", activity.recipients, ^recipients_with_public) and
|
||||
"https://www.w3.org/ns/activitystreams#Public" in activity.recipients)
|
||||
)
|
||||
end
|
||||
|
||||
def fetch_activities_bounded(recipients, recipients_with_public, opts \\ %{}) do
|
||||
fetch_activities_query([], opts)
|
||||
|> restrict_to_cc(recipients_to, recipients_cc)
|
||||
|> fetch_activities_bounded_query(recipients, recipients_with_public)
|
||||
|> Repo.all()
|
||||
|> Enum.reverse()
|
||||
end
|
||||
|
|
|
@ -121,7 +121,10 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
|
|||
object
|
||||
|> Utils.determine_explicit_mentions()
|
||||
|
||||
explicit_mentions = explicit_mentions ++ ["https://www.w3.org/ns/activitystreams#Public"]
|
||||
follower_collection = User.get_cached_by_ap_id(get_actor(object)).follower_address
|
||||
|
||||
explicit_mentions =
|
||||
explicit_mentions ++ ["https://www.w3.org/ns/activitystreams#Public", follower_collection]
|
||||
|
||||
object
|
||||
|> fix_explicit_addressing(explicit_mentions)
|
||||
|
@ -367,6 +370,9 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
|
|||
when objtype in ["Article", "Note", "Video", "Page"] do
|
||||
actor = get_actor(data)
|
||||
|
||||
# Temporary to make 0.99999 hotfix work
|
||||
User.get_or_fetch_by_ap_id(actor)
|
||||
|
||||
data =
|
||||
Map.put(data, "actor", actor)
|
||||
|> fix_addressing
|
||||
|
|
2
mix.exs
2
mix.exs
|
@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
|
|||
def project do
|
||||
[
|
||||
app: :pleroma,
|
||||
version: version("0.9.9999"),
|
||||
version: version("0.9.99999"),
|
||||
elixir: "~> 1.7",
|
||||
elixirc_paths: elixirc_paths(Mix.env()),
|
||||
compilers: [:phoenix, :gettext] ++ Mix.compilers(),
|
||||
|
|
|
@ -18,6 +18,18 @@ defmodule Pleroma.HTMLTest do
|
|||
<img src="http://example.com/image.jpg" onerror="alert('hacked')">
|
||||
"""
|
||||
|
||||
@html_span_class_sample """
|
||||
<span class="animate-spin">hi</span>
|
||||
"""
|
||||
|
||||
@html_span_microformats_sample """
|
||||
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
|
||||
"""
|
||||
|
||||
@html_span_invalid_microformats_sample """
|
||||
<span class="h-card"><a class="u-url mention animate-spin">@<span>foo</span></a></span>
|
||||
"""
|
||||
|
||||
describe "StripTags scrubber" do
|
||||
test "works as expected" do
|
||||
expected = """
|
||||
|
@ -58,6 +70,36 @@ defmodule Pleroma.HTMLTest do
|
|||
|
||||
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
|
||||
end
|
||||
|
||||
test "does not allow spans with invalid classes" do
|
||||
expected = """
|
||||
<span>hi</span>
|
||||
"""
|
||||
|
||||
assert expected ==
|
||||
HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
|
||||
end
|
||||
|
||||
test "does allow microformats" do
|
||||
expected = """
|
||||
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
|
||||
"""
|
||||
|
||||
assert expected ==
|
||||
HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.TwitterText)
|
||||
end
|
||||
|
||||
test "filters invalid microformats markup" do
|
||||
expected = """
|
||||
<span class="h-card"><a>@<span>foo</span></a></span>
|
||||
"""
|
||||
|
||||
assert expected ==
|
||||
HTML.filter_tags(
|
||||
@html_span_invalid_microformats_sample,
|
||||
Pleroma.HTML.Scrubber.TwitterText
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
describe "default scrubber" do
|
||||
|
@ -80,5 +122,34 @@ defmodule Pleroma.HTMLTest do
|
|||
|
||||
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
|
||||
end
|
||||
|
||||
test "does not allow spans with invalid classes" do
|
||||
expected = """
|
||||
<span>hi</span>
|
||||
"""
|
||||
|
||||
assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
|
||||
end
|
||||
|
||||
test "does allow microformats" do
|
||||
expected = """
|
||||
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
|
||||
"""
|
||||
|
||||
assert expected ==
|
||||
HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.Default)
|
||||
end
|
||||
|
||||
test "filters invalid microformats markup" do
|
||||
expected = """
|
||||
<span class="h-card"><a>@<span>foo</span></a></span>
|
||||
"""
|
||||
|
||||
assert expected ==
|
||||
HTML.filter_tags(
|
||||
@html_span_invalid_microformats_sample,
|
||||
Pleroma.HTML.Scrubber.Default
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -809,4 +809,33 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
|
|||
def data_uri do
|
||||
File.read!("test/fixtures/avatar_data_uri")
|
||||
end
|
||||
|
||||
describe "fetch_activities_bounded" do
|
||||
test "fetches private posts for followed users" do
|
||||
user = insert(:user)
|
||||
|
||||
{:ok, activity} =
|
||||
CommonAPI.post(user, %{
|
||||
"status" => "thought I looked cute might delete later :3",
|
||||
"visibility" => "private"
|
||||
})
|
||||
|
||||
[result] = ActivityPub.fetch_activities_bounded([user.follower_address], [])
|
||||
assert result.id == activity.id
|
||||
end
|
||||
|
||||
test "fetches only public posts for other users" do
|
||||
user = insert(:user)
|
||||
{:ok, activity} = CommonAPI.post(user, %{"status" => "#cofe", "visibility" => "public"})
|
||||
|
||||
{:ok, _private_activity} =
|
||||
CommonAPI.post(user, %{
|
||||
"status" => "why is tenshi eating a corndog so cute?",
|
||||
"visibility" => "private"
|
||||
})
|
||||
|
||||
[result] = ActivityPub.fetch_activities_bounded([], [user.follower_address])
|
||||
assert result.id == activity.id
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1128,4 +1128,44 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
|
|||
)
|
||||
end
|
||||
end
|
||||
|
||||
describe "fix_explicit_addressing" do
|
||||
test "moves non-explicitly mentioned actors to cc" do
|
||||
user = insert(:user)
|
||||
|
||||
explicitly_mentioned_actors = [
|
||||
"https://pleroma.gold/users/user1",
|
||||
"https://pleroma.gold/user2"
|
||||
]
|
||||
|
||||
object = %{
|
||||
"actor" => user.ap_id,
|
||||
"to" => explicitly_mentioned_actors ++ ["https://social.beepboop.ga/users/dirb"],
|
||||
"cc" => [],
|
||||
"tag" =>
|
||||
Enum.map(explicitly_mentioned_actors, fn href ->
|
||||
%{"type" => "Mention", "href" => href}
|
||||
end)
|
||||
}
|
||||
|
||||
fixed_object = Transmogrifier.fix_explicit_addressing(object)
|
||||
assert Enum.all?(explicitly_mentioned_actors, &(&1 in fixed_object["to"]))
|
||||
refute "https://social.beepboop.ga/users/dirb" in fixed_object["to"]
|
||||
assert "https://social.beepboop.ga/users/dirb" in fixed_object["cc"]
|
||||
end
|
||||
|
||||
test "does not move actor's follower collection to cc" do
|
||||
user = insert(:user)
|
||||
|
||||
object = %{
|
||||
"actor" => user.ap_id,
|
||||
"to" => [user.follower_address],
|
||||
"cc" => []
|
||||
}
|
||||
|
||||
fixed_object = Transmogrifier.fix_explicit_addressing(object)
|
||||
assert user.follower_address in fixed_object["to"]
|
||||
refute user.follower_address in fixed_object["cc"]
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1461,7 +1461,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
|
|||
assert user = json_response(conn, 200)
|
||||
|
||||
assert user["note"] ==
|
||||
"I drink <a class=\"hashtag\" data-tag=\"cofe\" href=\"http://localhost:4001/tag/cofe\">#cofe</a> with <span class=\"h-card\"><a data-user=\"#{
|
||||
"I drink <a class=\"hashtag\" data-tag=\"cofe\" href=\"http://localhost:4001/tag/cofe\" rel=\"tag\">#cofe</a> with <span class=\"h-card\"><a data-user=\"#{
|
||||
user2.id
|
||||
}\" class=\"u-url mention\" href=\"#{user2.ap_id}\">@<span>#{user2.nickname}</span></a></span>"
|
||||
end
|
||||
|
|
|
@ -94,7 +94,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusViewTest do
|
|||
card: nil,
|
||||
reblog: nil,
|
||||
content:
|
||||
"cool test :firefox: <a class=\"hashtag\" data-tag=\"yeah\" href=\"http://localhost:4001/tag/yeah\">#yeah</a>",
|
||||
"cool test :firefox: <a class=\"hashtag\" data-tag=\"yeah\" href=\"http://localhost:4001/tag/yeah\" rel=\"tag\">#yeah</a>",
|
||||
created_at: created_at,
|
||||
reblogs_count: 0,
|
||||
replies_count: 0,
|
||||
|
|
|
@ -66,7 +66,7 @@ defmodule Pleroma.Web.TwitterAPI.ActivityViewTest do
|
|||
result = ActivityView.render("activity.json", activity: activity)
|
||||
|
||||
assert result["statusnet_html"] ==
|
||||
"<a class=\"hashtag\" data-tag=\"bike\" href=\"http://localhost:4001/tag/bike\">#Bike</a> log - Commute Tuesday<br /><a href=\"https://pla.bike/posts/20181211/\">https://pla.bike/posts/20181211/</a><br /><a class=\"hashtag\" data-tag=\"cycling\" href=\"http://localhost:4001/tag/cycling\">#cycling</a> <a class=\"hashtag\" data-tag=\"chscycling\" href=\"http://localhost:4001/tag/chscycling\">#CHScycling</a> <a class=\"hashtag\" data-tag=\"commute\" href=\"http://localhost:4001/tag/commute\">#commute</a><br />MVIMG_20181211_054020.jpg"
|
||||
"<a class=\"hashtag\" data-tag=\"bike\" href=\"http://localhost:4001/tag/bike\" rel=\"tag\">#Bike</a> log - Commute Tuesday<br /><a href=\"https://pla.bike/posts/20181211/\">https://pla.bike/posts/20181211/</a><br /><a class=\"hashtag\" data-tag=\"cycling\" href=\"http://localhost:4001/tag/cycling\" rel=\"tag\">#cycling</a> <a class=\"hashtag\" data-tag=\"chscycling\" href=\"http://localhost:4001/tag/chscycling\" rel=\"tag\">#CHScycling</a> <a class=\"hashtag\" data-tag=\"commute\" href=\"http://localhost:4001/tag/commute\" rel=\"tag\">#commute</a><br />MVIMG_20181211_054020.jpg"
|
||||
|
||||
assert result["text"] ==
|
||||
"#Bike log - Commute Tuesday\nhttps://pla.bike/posts/20181211/\n#cycling #CHScycling #commute\nMVIMG_20181211_054020.jpg"
|
||||
|
|
Loading…
Reference in New Issue