From bea446d892c0a733cd299bb56db54a237e11159f Mon Sep 17 00:00:00 2001 From: Claire Date: Tue, 8 Oct 2024 14:25:05 +0200 Subject: [PATCH 1/8] Update security policy for 4.1 branch (#32302) --- SECURITY.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index b14dc45bf724aa..43ab4454c456f0 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,8 +1,11 @@ # Security Policy -If you believe you've identified a security vulnerability in Mastodon (a bug that allows something to happen that shouldn't be possible), you can reach us at . +If you believe you've identified a security vulnerability in Mastodon (a bug that allows something to happen that shouldn't be possible), you can either: -You should *not* report such issues on GitHub or in other public spaces to give us time to publish a fix for the issue without exposing Mastodon's users to increased risk. +- open a [GitHub security issue on the Mastodon project](https://github.com/mastodon/mastodon/security/advisories/new) +- reach us at + +You should _not_ report such issues on public GitHub issues or in other public spaces to give us time to publish a fix for the issue without exposing Mastodon's users to increased risk. ## Scope @@ -12,6 +15,7 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through | Version | Supported | | ------- | ---------------- | +| 4.3.x | Yes | | 4.2.x | Yes | -| 4.1.x | Yes | +| 4.1.x | Until 2025-04-08 | | < 4.1 | No | From 25b41a2603feeaddf54593bf4e6ab92916c7e413 Mon Sep 17 00:00:00 2001 From: Eugene Alvin Villar Date: Tue, 22 Oct 2024 16:41:40 +0800 Subject: [PATCH 2/8] Fix tl language native name (#32606) --- app/helpers/languages_helper.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/helpers/languages_helper.rb b/app/helpers/languages_helper.rb index bb35ce08cd22ed..527dad47c41e3d 100644 --- a/app/helpers/languages_helper.rb +++ b/app/helpers/languages_helper.rb @@ -162,7 +162,7 @@ module LanguagesHelper th: ['Thai', 'ไทย'].freeze, ti: ['Tigrinya', 'ትግርኛ'].freeze, tk: ['Turkmen', 'Türkmen'].freeze, - tl: ['Tagalog', 'Wikang Tagalog'].freeze, + tl: ['Tagalog', 'Tagalog'].freeze, tn: ['Tswana', 'Setswana'].freeze, to: ['Tonga', 'faka Tonga'].freeze, tr: ['Turkish', 'Türkçe'].freeze, From a84fdc851690a081c573609be23fb1062ccb9cf9 Mon Sep 17 00:00:00 2001 From: Claire Date: Wed, 20 Nov 2024 11:41:00 +0100 Subject: [PATCH 3/8] Update dependency rexml --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 2ef78da507659a..f17c221b5bba79 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -566,7 +566,7 @@ GEM responders (3.0.1) actionpack (>= 5.0) railties (>= 5.0) - rexml (3.3.7) + rexml (3.3.9) rotp (6.2.0) rpam2 (4.0.2) rqrcode (2.1.2) From af7914f13e7012edcd734a9fd208cfc150fa04da Mon Sep 17 00:00:00 2001 From: Claire Date: Wed, 20 Nov 2024 11:41:30 +0100 Subject: [PATCH 4/8] Update dependency rails --- Gemfile.lock | 114 +++++++++++++++++++++++++-------------------------- 1 file changed, 57 insertions(+), 57 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index f17c221b5bba79..ef50717ba96676 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -10,40 +10,40 @@ GIT GEM remote: https://rubygems.org/ specs: - actioncable (6.1.7.8) - actionpack (= 6.1.7.8) - activesupport (= 6.1.7.8) + actioncable (6.1.7.10) + actionpack (= 6.1.7.10) + activesupport (= 6.1.7.10) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailbox (6.1.7.8) - actionpack (= 6.1.7.8) - activejob (= 6.1.7.8) - activerecord (= 6.1.7.8) - activestorage (= 6.1.7.8) - activesupport (= 6.1.7.8) + actionmailbox (6.1.7.10) + actionpack (= 6.1.7.10) + activejob (= 6.1.7.10) + activerecord (= 6.1.7.10) + activestorage (= 6.1.7.10) + activesupport (= 6.1.7.10) mail (>= 2.7.1) - actionmailer (6.1.7.8) - actionpack (= 6.1.7.8) - actionview (= 6.1.7.8) - activejob (= 6.1.7.8) - activesupport (= 6.1.7.8) + actionmailer (6.1.7.10) + actionpack (= 6.1.7.10) + actionview (= 6.1.7.10) + activejob (= 6.1.7.10) + activesupport (= 6.1.7.10) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (6.1.7.8) - actionview (= 6.1.7.8) - activesupport (= 6.1.7.8) + actionpack (6.1.7.10) + actionview (= 6.1.7.10) + activesupport (= 6.1.7.10) rack (~> 2.0, >= 2.0.9) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.2.0) - actiontext (6.1.7.8) - actionpack (= 6.1.7.8) - activerecord (= 6.1.7.8) - activestorage (= 6.1.7.8) - activesupport (= 6.1.7.8) + actiontext (6.1.7.10) + actionpack (= 6.1.7.10) + activerecord (= 6.1.7.10) + activestorage (= 6.1.7.10) + activesupport (= 6.1.7.10) nokogiri (>= 1.8.5) - actionview (6.1.7.8) - activesupport (= 6.1.7.8) + actionview (6.1.7.10) + activesupport (= 6.1.7.10) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) @@ -54,22 +54,22 @@ GEM case_transform (>= 0.2) jsonapi-renderer (>= 0.1.1.beta1, < 0.3) active_record_query_trace (1.8) - activejob (6.1.7.8) - activesupport (= 6.1.7.8) + activejob (6.1.7.10) + activesupport (= 6.1.7.10) globalid (>= 0.3.6) - activemodel (6.1.7.8) - activesupport (= 6.1.7.8) - activerecord (6.1.7.8) - activemodel (= 6.1.7.8) - activesupport (= 6.1.7.8) - activestorage (6.1.7.8) - actionpack (= 6.1.7.8) - activejob (= 6.1.7.8) - activerecord (= 6.1.7.8) - activesupport (= 6.1.7.8) + activemodel (6.1.7.10) + activesupport (= 6.1.7.10) + activerecord (6.1.7.10) + activemodel (= 6.1.7.10) + activesupport (= 6.1.7.10) + activestorage (6.1.7.10) + actionpack (= 6.1.7.10) + activejob (= 6.1.7.10) + activerecord (= 6.1.7.10) + activesupport (= 6.1.7.10) marcel (~> 1.0) mini_mime (>= 1.1.0) - activesupport (6.1.7.8) + activesupport (6.1.7.10) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 1.6, < 2) minitest (>= 5.1) @@ -406,7 +406,7 @@ GEM mime-types-data (~> 3.2015) mime-types-data (3.2022.0105) mini_mime (1.1.5) - mini_portile2 (2.8.7) + mini_portile2 (2.8.8) minitest (5.17.0) msgpack (1.6.0) multi_json (1.15.0) @@ -498,7 +498,7 @@ GEM activesupport (>= 3.0.0) raabro (1.4.0) racc (1.7.3) - rack (2.2.9) + rack (2.2.10) rack-attack (6.6.1) rack (>= 1.0, < 3) rack-cors (1.1.1) @@ -513,20 +513,20 @@ GEM rack rack-test (2.0.2) rack (>= 1.3) - rails (6.1.7.8) - actioncable (= 6.1.7.8) - actionmailbox (= 6.1.7.8) - actionmailer (= 6.1.7.8) - actionpack (= 6.1.7.8) - actiontext (= 6.1.7.8) - actionview (= 6.1.7.8) - activejob (= 6.1.7.8) - activemodel (= 6.1.7.8) - activerecord (= 6.1.7.8) - activestorage (= 6.1.7.8) - activesupport (= 6.1.7.8) + rails (6.1.7.10) + actioncable (= 6.1.7.10) + actionmailbox (= 6.1.7.10) + actionmailer (= 6.1.7.10) + actionpack (= 6.1.7.10) + actiontext (= 6.1.7.10) + actionview (= 6.1.7.10) + activejob (= 6.1.7.10) + activemodel (= 6.1.7.10) + activerecord (= 6.1.7.10) + activestorage (= 6.1.7.10) + activesupport (= 6.1.7.10) bundler (>= 1.15.0) - railties (= 6.1.7.8) + railties (= 6.1.7.10) sprockets-rails (>= 2.0.0) rails-controller-testing (1.0.5) actionpack (>= 5.0.1.rc1) @@ -542,9 +542,9 @@ GEM railties (>= 6.0.0, < 7) rails-settings-cached (0.6.6) rails (>= 4.2.0) - railties (6.1.7.8) - actionpack (= 6.1.7.8) - activesupport (= 6.1.7.8) + railties (6.1.7.10) + actionpack (= 6.1.7.10) + activesupport (= 6.1.7.10) method_source rake (>= 12.2) thor (~> 1.0) @@ -664,7 +664,7 @@ GEM simplecov-html (0.12.3) simplecov_json_formatter (0.1.4) smart_properties (1.17.0) - sprockets (3.7.3) + sprockets (3.7.5) base64 concurrent-ruby (~> 1.0) rack (> 1, < 3) @@ -755,7 +755,7 @@ GEM xorcist (1.1.3) xpath (3.2.0) nokogiri (~> 1.8) - zeitwerk (2.6.16) + zeitwerk (2.6.18) PLATFORMS ruby From f51f9717fa57c1525a3d1e90a2116a95f795f850 Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 25 Nov 2024 16:54:18 +0100 Subject: [PATCH 5/8] Fix direct inbox delivery pushing posts into inactive followers' timelines (#33067) --- app/lib/feed_manager.rb | 5 ++++- app/models/user.rb | 4 ++++ spec/fabricators/user_fabricator.rb | 1 + 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/app/lib/feed_manager.rb b/app/lib/feed_manager.rb index baa460f7423b53..03775f195fd6de 100644 --- a/app/lib/feed_manager.rb +++ b/app/lib/feed_manager.rb @@ -58,6 +58,7 @@ def filter?(timeline_type, status, receiver) # @param [Boolean] update # @return [Boolean] def push_to_home(account, status, update: false) + return false unless account.user&.signed_in_recently? return false unless add_to_feed(:home, account.id, status, aggregate_reblogs: account.user&.aggregates_reblogs?) trim(:home, account.id) @@ -83,7 +84,9 @@ def unpush_from_home(account, status, update: false) # @param [Boolean] update # @return [Boolean] def push_to_list(list, status, update: false) - return false if filter_from_list?(status, list) || !add_to_feed(:list, list.id, status, aggregate_reblogs: list.account.user&.aggregates_reblogs?) + return false if filter_from_list?(status, list) + return false unless list.account.user&.signed_in_recently? + return false unless add_to_feed(:list, list.id, status, aggregate_reblogs: list.account.user&.aggregates_reblogs?) trim(:list, list.id) PushUpdateWorker.perform_async(list.account_id, status.id, "timeline:list:#{list.id}", { 'update' => update }) if push_update_required?("timeline:list:#{list.id}") diff --git a/app/models/user.rb b/app/models/user.rb index e2355915510a60..d2187259c9504d 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -164,6 +164,10 @@ def role end end + def signed_in_recently? + current_sign_in_at.present? && current_sign_in_at >= ACTIVE_DURATION.ago + end + def confirmed? confirmed_at.present? end diff --git a/spec/fabricators/user_fabricator.rb b/spec/fabricators/user_fabricator.rb index 10ad2c53a30df4..5455becd5878b6 100644 --- a/spec/fabricators/user_fabricator.rb +++ b/spec/fabricators/user_fabricator.rb @@ -3,5 +3,6 @@ email { sequence(:email) { |i| "#{i}#{Faker::Internet.email}" } } password "123456789" confirmed_at { Time.zone.now } + current_sign_in_at { Time.zone.now } agreement true end From e2db51583790f1b0d58243c21bd3f6a9753b7edd Mon Sep 17 00:00:00 2001 From: Claire Date: Thu, 28 Nov 2024 18:40:53 +0100 Subject: [PATCH 6/8] Fix inactive users' timelines being backfilled on follow and unsuspend (#33094) --- app/lib/feed_manager.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/app/lib/feed_manager.rb b/app/lib/feed_manager.rb index 03775f195fd6de..42a233e819edde 100644 --- a/app/lib/feed_manager.rb +++ b/app/lib/feed_manager.rb @@ -110,6 +110,8 @@ def unpush_from_list(list, status, update: false) # @param [Account] into_account # @return [void] def merge_into_home(from_account, into_account) + return unless into_account.user&.signed_in_recently? + timeline_key = key(:home, into_account.id) aggregate = into_account.user&.aggregates_reblogs? query = from_account.statuses.where(visibility: [:public, :unlisted, :private]).includes(:preloadable_poll, :media_attachments, reblog: :account).limit(FeedManager::MAX_ITEMS / 4) @@ -136,6 +138,8 @@ def merge_into_home(from_account, into_account) # @param [List] list # @return [void] def merge_into_list(from_account, list) + return unless list.account.user&.signed_in_recently? + timeline_key = key(:list, list.id) aggregate = list.account.user&.aggregates_reblogs? query = from_account.statuses.where(visibility: [:public, :unlisted, :private]).includes(:preloadable_poll, :media_attachments, reblog: :account).limit(FeedManager::MAX_ITEMS / 4) From 0816c1301447d8f5be1d12788a6a89dcfefebcfa Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 2 Dec 2024 14:11:35 +0100 Subject: [PATCH 7/8] Prepare changelog --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 51f5470d819240..28542edc984c35 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,18 @@ Changelog All notable changes to this project will be documented in this file. +## [4.2.21] - UNRELEASED + +### Fixed + +- Fix inactive users' timelines being backfilled on follow and unsuspend (#33094 by @ClearlyClaire) +- Fix direct inbox delivery pushing posts into inactive followers' timelines (#33067 by @ClearlyClaire) +- Fix tl language native name (#32606 by @seav) + +### Security + +- Update dependencies + ## [4.1.20] - 2024-09-30 ### Security From a222e7ac670a293c6343799b6e66c6d29ee95d39 Mon Sep 17 00:00:00 2001 From: Claire Date: Tue, 3 Dec 2024 15:16:35 +0100 Subject: [PATCH 8/8] Bump version to v4.1.21 (#33138) Co-authored-by: David Roetzel --- CHANGELOG.md | 2 +- docker-compose.yml | 6 +++--- lib/mastodon/version.rb | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 28542edc984c35..c4fa9b6a4da7ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ Changelog All notable changes to this project will be documented in this file. -## [4.2.21] - UNRELEASED +## [4.2.21] - 2024-12-03 ### Fixed diff --git a/docker-compose.yml b/docker-compose.yml index 6d887d2de41433..e426250a238a78 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -56,7 +56,7 @@ services: web: build: . - image: ghcr.io/mastodon/mastodon:v4.1.20 + image: ghcr.io/mastodon/mastodon:v4.1.21 restart: always env_file: .env.production command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000" @@ -77,7 +77,7 @@ services: streaming: build: . - image: ghcr.io/mastodon/mastodon:v4.1.20 + image: ghcr.io/mastodon/mastodon:v4.1.21 restart: always env_file: .env.production command: node ./streaming @@ -95,7 +95,7 @@ services: sidekiq: build: . - image: ghcr.io/mastodon/mastodon:v4.1.20 + image: ghcr.io/mastodon/mastodon:v4.1.21 restart: always env_file: .env.production command: bundle exec sidekiq diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb index 53896c0287b3de..9dd0a53d5ed6f5 100644 --- a/lib/mastodon/version.rb +++ b/lib/mastodon/version.rb @@ -13,7 +13,7 @@ def minor end def patch - 20 + 21 end def flags