Merge branch 'mergeback/2.6.0' into 'develop'

mergeback: 2.6.0

Closes #3135

See merge request pleroma/pleroma!3964

.gitlab/merge_request_templates/Release.md

@@ -1,6 +1,6 @@
 ### Release checklist
 * [ ] Bump version in `mix.exs`
-* [ ] Compile a changelog
+* [ ] Compile a changelog with the `tools/collect-changelog` script
 * [ ] Create an MR with an announcement to pleroma.social
 #### post-merge
 * [ ] Tag the release on the merge commit

CHANGELOG.md

@@ -4,19 +4,65 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## Unreleased
+## 2.6.0
-
+### Security
-### Changed
+- Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.
+- CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID
+- Disable XML entity resolution completely to fix a dos vulnerability
 
 ### Added
 - Support for Image activities, namely from Hubzilla
+- Add OAuth scope descriptions
+- Allow lang attribute in status text
+- OnlyMedia Upload Filter
+- Implement MRF policy to reject or delist according to emojis
+- (hardening) Add no_new_privs=yes to OpenRC service files
+- Implement quotes
+- Add unified streaming endpoint
 
 ### Fixed
-
 - rel="me" was missing its cache
+- MediaProxy responses now return a sandbox CSP header
+- Filter context activities using Visibility.visible_for_user?
+- UploadedMedia: Add missing disposition_type to Content-Disposition
+- fix not being able to fetch flash file from remote instance
+- Fix abnormal behaviour when refetching a poll
+- Allow non-HTTP(s) URIs in "url" fields for compatibility with "FEP-fffd: Proxy Objects"
+- Fix opengraph and twitter card meta tags
+- ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts
+- OEmbed HTML tags are now filtered
+- Restrict attachments to only uploaded files only
+- Fix error 404 when deleting status of a banned user
+- Fix config ownership in dockerfile to pass restriction test
+- Fix user fetch completely broken if featured collection is not in a supported form
+- Correctly handle the situation when a poll has both "anyOf" and "oneOf" but one of them being empty
+- Fix handling report from a deactivated user
+- Prevent using the .json format to bypass authorized fetch mode
+- Fix mentioning punycode domains when using Markdown
+- Show more informative errors when profile exceeds char limits
 
 ### Removed
 - BREAKING: Support for passwords generated with `crypt(3)` (Gnu Social migration artifact)
+- remove BBS/SSH feature, replaced by an external bridge.
+- Remove a few unused indexes.
+- Cleanup OStatus-era user upgrades and ap_enabled indicator
+- Deprecate Pleroma's audio scrobbling
+
+## 2.5.4
+
+## Security
+- Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
+
+## 2.5.3
+
+### Security
+- Emoji pack loader sanitizes pack names
+- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories
+
+## 2.5.5
+
+## Security
+- Prevent users from accessing media of other users by creating a status with reused attachment ID
 
 ## 2.5.4
 

changelog.d/3126.fix

@@ -1 +0,0 @@
-MediaProxy responses now return a sandbox CSP header

changelog.d/3801.fix

@@ -1 +0,0 @@
-Filter context activities using Visibility.visible_for_user?

changelog.d/3848.add

@@ -1 +0,0 @@
-Add OAuth scope descriptions

changelog.d/3872.remove

@@ -1 +0,0 @@
-remove BBS/SSH feature, replaced by an external bridge.

changelog.d/3873.fix

@@ -1 +0,0 @@
-UploadedMedia: Add missing disposition_type to Content-Disposition

changelog.d/3874.remove

@@ -1 +0,0 @@
-Remove a few unused indexes.

changelog.d/3879.fix

@@ -1 +0,0 @@
-fix not being able to fetch flash file from remote instance

changelog.d/3880.remove

@@ -1 +0,0 @@
-Cleanup OStatus-era user upgrades and ap_enabled indicator

changelog.d/3882.add

@@ -1 +0,0 @@
-Allow lang attribute in status text

changelog.d/3883.fix

@@ -1 +0,0 @@
-Fix abnormal behaviour when refetching a poll

changelog.d/3884.fix

@@ -1 +0,0 @@
-Allow non-HTTP(s) URIs in "url" fields for compatibility with "FEP-fffd: Proxy Objects"

changelog.d/3885.fix

@@ -1 +0,0 @@
-Fix opengraph and twitter card meta tags

changelog.d/3888.fix

@@ -1 +0,0 @@
-ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts

changelog.d/3891.fix

@@ -1 +0,0 @@
-OEmbed HTML tags are now filtered

changelog.d/3897.add

@@ -1 +0,0 @@
-OnlyMedia Upload Filter

changelog.d/3901.security

@@ -1 +0,0 @@
-Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.

changelog.d/attachment-type-check.fix

@@ -1 +0,0 @@
-Restrict attachments to only uploaded files only

changelog.d/delete-status-of-banned-user.fix

@@ -1 +0,0 @@
-Fix error 404 when deleting status of a banned user

changelog.d/deprecate-scrobbles.remove

@@ -1 +0,0 @@
-Deprecate Pleroma's audio scrobbling

changelog.d/disable-xml-entity-resolution.security

@@ -1 +0,0 @@
-Disable XML entity resolution completely to fix a dos vulnerability

changelog.d/dockerfile-config-perms.fix

@@ -1 +0,0 @@
-- Fix config ownership in dockerfile to pass restriction test

changelog.d/emoji-policy.add

@@ -1 +0,0 @@
-Implement MRF policy to reject or delist according to emojis

changelog.d/featured-collection-shouldnt-break-user-fetch.fix

@@ -1 +0,0 @@
-Fix user fetch completely broken if featured collection is not in a supported form

changelog.d/fix-object-test.fix

@@ -1 +0,0 @@
-Correctly handle the situation when a poll has both "anyOf" and "oneOf" but one of them being empty

changelog.d/handle-report-from-deactivated-user.fix

@@ -1 +0,0 @@
-Fix handling report from a deactivated user

changelog.d/no_new_privs.add

@@ -1 +0,0 @@
-(hardening) Add no_new_privs=yes to OpenRC service files

changelog.d/prevent-bypassing-authorized-fetch-mode.fix

@@ -1 +0,0 @@
-Prevent using the .json format to bypass authorized fetch mode

changelog.d/punycode-mention.fix

@@ -1 +0,0 @@
-Fix mentioning punycode domains when using Markdown

changelog.d/quote.add

@@ -1 +0,0 @@
-Implement quotes

changelog.d/unified-streaming.add

@@ -1 +0,0 @@
-Add unified streaming endpoint

changelog.d/update-credentials-limit-error.fix

@@ -1 +0,0 @@
-Show more informative errors when profile exceeds char limits

mix.exs

@@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
   def project do
     [
       app: :pleroma,
-      version: version("2.5.54"),
+      version: version("2.6.50"),
       elixir: "~> 1.11",
       elixirc_paths: elixirc_paths(Mix.env()),
       compilers: [:phoenix] ++ Mix.compilers(),

priv/static/index.html

@@ -1 +1 @@
-<!DOCTYPE html><html lang=en><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,user-scalable=no"><!--server-generated-meta--><link rel=icon type=image/png href=/favicon.png><script defer=defer src=/static/js/2724.e4840c73281069ba54ab.js></script><script defer=defer src=/static/js/app.8d2126d35dba9482db51.js></script><link href=/static/css/app.48e52505beba5b9ab69b.css rel=stylesheet></head><body class=hidden><noscript>To use Pleroma, please enable JavaScript.</noscript><div id=app></div><div id=modal></div><div id=popovers></body></html>
+<!DOCTYPE html><html lang=en><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,user-scalable=no"><!--server-generated-meta--><link rel=icon type=image/png href=/favicon.png><script defer=defer src=/static/js/3733.7060d1e6bca813125a0c.js></script><script defer=defer src=/static/js/app.7c4b412b26221a7c8572.js></script><link href=/static/css/app.c18a2c80794a1b699a61.css rel=stylesheet></head><body class=hidden><noscript>To use Pleroma, please enable JavaScript.</noscript><div id=app></div><div id=modal></div><div id=popovers></body></html>

priv/static/static/css/5948.06d2a0d84620cba6a4fb.css.map

@@ -1 +0,0 @@
-{"version":3,"file":"static/css/5948.06d2a0d84620cba6a4fb.css","mappings":"AACA,uBAGE,mBAFA,aACA,YAEA,uBAEA,4BACE,YACA,iBCPJ,gBACE,gBAEA,2DAEE,qBACA,iBAEA,iEACE,mBAGF,mFACE,gBAIJ,sCAOE,YADA,eALA,gBACA,qBAEA,wBADA,uCAEA,YAEA,CAEA,yBATF,sCAWI,YADA,eACA,EAGF,kDACE,YACA,kBAEA,uDACE,eACA,eACA,cAKN,iCACE,aAEA,mCACE,kBAGF,gDACE,aACA,YAKF,2CASE,8CAEA,yBAXF,2CAgBI","sources":["webpack://pleroma_fe/./src/components/async_component_error/async_component_error.vue","webpack://pleroma_fe/./src/components/settings_modal/settings_modal.scss"],"sourcesContent":["\n.async-component-error {\n  display: flex;\n  height: 100%;\n  align-items: center;\n  justify-content: center;\n\n  .btn {\n    margin: 0.5em;\n    padding: 0.5em 2em;\n  }\n}\n","@import \"src/variables\";\n\n.settings-modal {\n  overflow: hidden;\n\n  .setting-list,\n  .option-list {\n    list-style-type: none;\n    padding-left: 2em;\n\n    li {\n      margin-bottom: 0.5em;\n    }\n\n    .suboptions {\n      margin-top: 0.3em;\n    }\n  }\n\n  .settings-modal-panel {\n    overflow: hidden;\n    transition: transform;\n    transition-timing-function: ease-in-out;\n    transition-duration: 300ms;\n    width: 1000px;\n    max-width: 90vw;\n    height: 90vh;\n\n    @media all and (max-width: 800px) {\n      max-width: 100vw;\n      height: 100%;\n    }\n\n    >.panel-body {\n      height: 100%;\n      overflow-y: hidden;\n\n      .btn {\n        min-height: 2em;\n        min-width: 10em;\n        padding: 0 2em;\n      }\n    }\n  }\n\n  .settings-footer {\n    display: flex;\n\n    >* {\n      margin-right: 0.5em;\n    }\n\n    .extra-content {\n      display: flex;\n      flex-grow: 1;\n    }\n  }\n\n  &.peek {\n    .settings-modal-panel {\n      /* Explanation:\n       * Modal is positioned vertically centered.\n       * 100vh - 100% = Distance between modal's top+bottom boundaries and screen\n       * (100vh - 100%) / 2 = Distance between bottom (or top) boundary and screen\n       * + 100% - we move modal completely off-screen, it's top boundary touches\n       *   bottom of the screen\n       * - 50px - leaving tiny amount of space so that titlebar + tiny amount of modal is visible\n       */\n      transform: translateY(calc(((100vh - 100%) / 2 + 100%) - 50px));\n\n      @media all and (max-width: 800px) {\n        /* For mobile, the modal takes 100% of the available screen.\n           This ensures the minimized modal is always 50px above the browser bottom\n           bar regardless of whether or not it is visible.\n        */\n        transform: translateY(calc(100% - 50px));\n      }\n    }\n  }\n}\n"],"names":[],"sourceRoot":""}

priv/static/static/css/7586.0d43f70bc6240422f179.css.map

@@ -0,0 +1 @@
+{"version":3,"file":"static/css/7586.0d43f70bc6240422f179.css","mappings":"AACA,uBAGE,mBAFA,aACA,YAEA,uBAEA,4BACE,YACA,iBCPJ,gBACE,gBAEA,2DAEE,qBACA,iBAEA,iEACE,mBAGF,mFACE,gBAIJ,qCAGE,cADA,kBADA,eAEA,CAGF,sCAOE,YADA,eALA,gBACA,qBAEA,wBADA,uCAEA,YAEA,CAEA,yBATF,sCAWI,YADA,eACA,EAGF,kDACE,YACA,kBAEA,uDACE,eAGF,6EACE,cAKN,iCACE,aACA,eACA,cAEA,mCACE,kBAGF,gDACE,aACA,YAKF,2CASE,8CAEA,yBAXF,2CAgBI","sources":["webpack://pleroma_fe/./src/components/async_component_error/async_component_error.vue","webpack://pleroma_fe/./src/components/settings_modal/settings_modal.scss"],"sourcesContent":["\n.async-component-error {\n  display: flex;\n  height: 100%;\n  align-items: center;\n  justify-content: center;\n\n  .btn {\n    margin: 0.5em;\n    padding: 0.5em 2em;\n  }\n}\n","@import \"src/variables\";\n\n.settings-modal {\n  overflow: hidden;\n\n  .setting-list,\n  .option-list {\n    list-style-type: none;\n    padding-left: 2em;\n\n    li {\n      margin-bottom: 0.5em;\n    }\n\n    .suboptions {\n      margin-top: 0.3em;\n    }\n  }\n\n  .setting-description {\n    margin-top: 0.2em;\n    margin-bottom: 2em;\n    font-size: 70%;\n  }\n\n  .settings-modal-panel {\n    overflow: hidden;\n    transition: transform;\n    transition-timing-function: ease-in-out;\n    transition-duration: 300ms;\n    width: 1000px;\n    max-width: 90vw;\n    height: 90vh;\n\n    @media all and (max-width: 800px) {\n      max-width: 100vw;\n      height: 100%;\n    }\n\n    >.panel-body {\n      height: 100%;\n      overflow-y: hidden;\n\n      .btn {\n        min-height: 2em;\n      }\n\n      .btn:not(.dropdown-button) {\n        padding: 0 2em;\n      }\n    }\n  }\n\n  .settings-footer {\n    display: flex;\n    flex-wrap: wrap;\n    line-height: 2;\n\n    >* {\n      margin-right: 0.5em;\n    }\n\n    .extra-content {\n      display: flex;\n      flex-grow: 1;\n    }\n  }\n\n  &.peek {\n    .settings-modal-panel {\n      /* Explanation:\n       * Modal is positioned vertically centered.\n       * 100vh - 100% = Distance between modal's top+bottom boundaries and screen\n       * (100vh - 100%) / 2 = Distance between bottom (or top) boundary and screen\n       * + 100% - we move modal completely off-screen, it's top boundary touches\n       *   bottom of the screen\n       * - 50px - leaving tiny amount of space so that titlebar + tiny amount of modal is visible\n       */\n      transform: translateY(calc(((100vh - 100%) / 2 + 100%) - 50px));\n\n      @media all and (max-width: 800px) {\n        /* For mobile, the modal takes 100% of the available screen.\n           This ensures the minimized modal is always 50px above the browser bottom\n           bar regardless of whether or not it is visible.\n        */\n        transform: translateY(calc(100% - 50px));\n      }\n    }\n  }\n}\n"],"names":[],"sourceRoot":""}

priv/static/static/css/9801.cfe503d4c949ae0c3813.css.map

@@ -0,0 +1 @@
+{"version":3,"file":"static/css/9801.cfe503d4c949ae0c3813.css","mappings":"AACA,mBACE,qBACA,kBAGF,kBACE,gBACA,eACA,kBCRF,yBACE,qBACA,kBAGF,wBACE,gBACA,eACA,kBCRF,cACE,qBACA,kBAEA,8BACE,iBAIJ,eACE,gBACA,eACA,kBCXA,+BACE,cAEA,YACA,mBAFA,UAEA,CAGF,qCAEE,aACA,sBAFA,gBAGA,WAGF,6BACE,mBAEA,uEAEE,WCpBJ,2BACE,UAGF,kBAEE,iBAGA,eADA,kBAHA,uBAEA,kBAEA,CCRJ,uBACE,YAEA,qCACE,0CACA,qBACA,qBAEA,oFAEE,cACA,mBAEA,0GACE,gBAIJ,sDACE,aAEA,mEACE,SACA,kBAIJ,gDACE,mBAEA,kBADA,gBACA,CAGF,4CACE,eAGF,8CAGE,aADA,eADA,UAEA,CAGF,wGAEE,sBACA,SCnCW","sources":["webpack://pleroma_fe/./src/components/settings_modal/helpers/modified_indicator.vue","webpack://pleroma_fe/./src/components/settings_modal/helpers/profile_setting_indicator.vue","webpack://pleroma_fe/./src/components/settings_modal/helpers/draft_buttons.vue","webpack://pleroma_fe/./src/components/settings_modal/helpers/attachment_setting.vue","webpack://pleroma_fe/./src/components/settings_modal/admin_tabs/frontends_tab.scss","webpack://pleroma_fe/./src/components/settings_modal/settings_modal_admin_content.scss","webpack://pleroma_fe/./src/_variables.scss"],"sourcesContent":["\n.ModifiedIndicator {\n  display: inline-block;\n  position: relative;\n}\n\n.modified-tooltip {\n  margin: 0.5em 1em;\n  min-width: 10em;\n  text-align: center;\n}\n","\n.ProfileSettingIndicator {\n  display: inline-block;\n  position: relative;\n}\n\n.profilesetting-tooltip {\n  margin: 0.5em 1em;\n  min-width: 10em;\n  text-align: center;\n}\n","\n.DraftButtons {\n  display: inline-block;\n  position: relative;\n\n  .button-default {\n    margin-left: 0.5em;\n  }\n}\n\n.draft-tooltip {\n  margin: 0.5em 1em;\n  min-width: 10em;\n  text-align: center;\n}\n","\n.AttachmentSetting {\n  .attachment {\n    display: block;\n    width: 100%;\n    height: 15em;\n    margin-bottom: 0.5em;\n  }\n\n  .attachment-input {\n    margin-left: 1em;\n    display: flex;\n    flex-direction: column;\n    width: 20em;\n  }\n\n  .controls {\n    margin-bottom: 0.5em;\n\n    input,\n    button {\n      width: 100%;\n    }\n  }\n}\n",".frontends-tab {\n  .cards-list {\n    padding: 0;\n  }\n\n  dd {\n    text-overflow: ellipsis;\n    word-wrap: nowrap;\n    white-space: nowrap;\n    overflow-x: hidden;\n    max-width: 10em;\n  }\n}\n","@import \"src/variables\";\n\n.settings_tab-switcher {\n  height: 100%;\n\n  .setting-item {\n    border-bottom: 2px solid var(--fg, $fallback--fg);\n    margin: 1em 1em 1.4em;\n    padding-bottom: 1.4em;\n\n    > div,\n    > label {\n      display: block;\n      margin-bottom: 0.5em;\n\n      &:last-child {\n        margin-bottom: 0;\n      }\n    }\n\n    .select-multiple {\n      display: flex;\n\n      .option-list {\n        margin: 0;\n        padding-left: 0.5em;\n      }\n    }\n\n    &:last-child {\n      border-bottom: none;\n      padding-bottom: 0;\n      margin-bottom: 1em;\n    }\n\n    select {\n      min-width: 10em;\n    }\n\n    textarea {\n      width: 100%;\n      max-width: 100%;\n      height: 100px;\n    }\n\n    .unavailable,\n    .unavailable svg {\n      color: var(--cRed, $fallback--cRed);\n      color: $fallback--cRed;\n    }\n  }\n}\n","$main-color: #f58d2c;\n$main-background: white;\n$darkened-background: whitesmoke;\n\n$fallback--bg: #121a24;\n$fallback--fg: #182230;\n$fallback--faint: rgb(185 185 186 / 50%);\n$fallback--text: #b9b9ba;\n$fallback--link: #d8a070;\n$fallback--icon: #666;\n$fallback--lightBg: rgb(21 30 42);\n$fallback--lightText: #b9b9ba;\n$fallback--border: #222;\n$fallback--cRed: #f00;\n$fallback--cBlue: #0095ff;\n$fallback--cGreen: #0fa00f;\n$fallback--cOrange: orange;\n\n$fallback--alertError: rgb(211 16 20 / 50%);\n$fallback--alertWarning: rgb(111 111 20 / 50%);\n\n$fallback--panelRadius: 10px;\n$fallback--checkboxRadius: 2px;\n$fallback--btnRadius: 4px;\n$fallback--inputRadius: 4px;\n$fallback--tooltipRadius: 5px;\n$fallback--avatarRadius: 4px;\n$fallback--avatarAltRadius: 10px;\n$fallback--attachmentRadius: 10px;\n$fallback--chatMessageRadius: 10px;\n\n$fallback--buttonShadow: 0 0 2px 0 rgb(0 0 0 / 100%),\n  0 1px 0 0 rgb(255 255 255 / 20%) inset,\n  0 -1px 0 0 rgb(0 0 0 / 20%) inset;\n\n$status-margin: 0.75em;\n"],"names":[],"sourceRoot":""}

priv/static/static/js/48.b5ecdbc517423af07ca4.js.LICENSE.txt

@@ -1,11 +1,11 @@
 /*!
- * Cropper.js v1.5.12
+ * Cropper.js v1.5.13
  * https://fengyuanchen.github.io/cropperjs
  *
  * Copyright 2015-present Chen Fengyuan
  * Released under the MIT license
  *
- * Date: 2021-06-12T08:00:17.411Z
+ * Date: 2022-11-20T05:30:46.114Z
  */
 
 /*! vue-qrcode v2.0.0 | (c) 2018-present Chen Fengyuan | MIT */