From f64af6473fd1c61190ede960791efddc29806f92 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 20 Mar 2018 23:49:24 +0100 Subject: [PATCH 1/4] Bump version to 2.3.2rc4 --- lib/mastodon/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb index 78a2dd901..80650761a 100644 --- a/lib/mastodon/version.rb +++ b/lib/mastodon/version.rb @@ -21,7 +21,7 @@ module Mastodon end def flags - 'rc3' + 'rc4' end def to_a From a6b59cd1a32ce2d9ac54fa7b5e04672a63692fdf Mon Sep 17 00:00:00 2001 From: Akihiko Odaki Date: Wed, 21 Mar 2018 18:26:15 +0900 Subject: [PATCH 2/4] Remove debug option from Babel preset env (#6852) --- .babelrc | 1 - 1 file changed, 1 deletion(-) diff --git a/.babelrc b/.babelrc index ed28aa500..190b5038c 100644 --- a/.babelrc +++ b/.babelrc @@ -4,7 +4,6 @@ [ "env", { - "debug": true, "exclude": ["transform-async-to-generator", "transform-regenerator"], "loose": true, "modules": false, From 93897134caf42f1b70620282cef04865af7026b1 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Wed, 21 Mar 2018 10:26:53 +0100 Subject: [PATCH 3/4] Permit dots in usernames with conditions (#6844) * Permit dots in usernames with conditions - Dot cannot be the start or end of username - a.lice and al.ice are considered the same during sign-up * Fix regex mixin flags --- app/models/account.rb | 6 ++++-- app/validators/unique_username_validator.rb | 14 ++++++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 app/validators/unique_username_validator.rb diff --git a/app/models/account.rb b/app/models/account.rb index c1347fe65..14269860f 100644 --- a/app/models/account.rb +++ b/app/models/account.rb @@ -47,7 +47,8 @@ # class Account < ApplicationRecord - MENTION_RE = /(?<=^|[^\/[:word:]])@(([a-z0-9_]+)(?:@[a-z0-9\.\-]+[a-z0-9]+)?)/i + USERNAME_RE = /[a-z0-9_]+([a-z0-9_\.]+[a-z0-9_]+)?/i + MENTION_RE = /(?<=^|[^\/[:word:]])@((#{USERNAME_RE}?)(?:@[a-z0-9\.\-]+[a-z0-9]+)?)/i include AccountAvatar include AccountFinderConcern @@ -68,7 +69,8 @@ class Account < ApplicationRecord validates :username, uniqueness: { scope: :domain, case_sensitive: true }, if: -> { !local? && will_save_change_to_username? } # Local user validations - validates :username, format: { with: /\A[a-z0-9_]+\z/i }, uniqueness: { scope: :domain, case_sensitive: false }, length: { maximum: 30 }, if: -> { local? && will_save_change_to_username? } + validates :username, format: { with: /\A#{USERNAME_RE}\z/i }, length: { maximum: 30 }, if: -> { local? && will_save_change_to_username? } + validates_with UniqueUsernameValidator, if: -> { local? && will_save_change_to_username? } validates_with UnreservedUsernameValidator, if: -> { local? && will_save_change_to_username? } validates :display_name, length: { maximum: 30 }, if: -> { local? && will_save_change_to_display_name? } validates :note, length: { maximum: 160 }, if: -> { local? && will_save_change_to_note? } diff --git a/app/validators/unique_username_validator.rb b/app/validators/unique_username_validator.rb new file mode 100644 index 000000000..c76407b16 --- /dev/null +++ b/app/validators/unique_username_validator.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +class UniqueUsernameValidator < ActiveModel::Validator + def validate(account) + return if account.username.nil? + + normalized_username = account.username.downcase.delete('.') + + scope = Account.where(domain: nil, username: normalized_username) + scope = scope.where.not(id: account.id) if account.persisted? + + account.errors.add(:username, :taken) if scope.exists? + end +end From d97903a3587e137316adbd8a9f0460552b5bfbcd Mon Sep 17 00:00:00 2001 From: Patrick Figel Date: Wed, 21 Mar 2018 17:43:28 +0100 Subject: [PATCH 4/4] Update sanitize and loofah (#6855) Fixes CVE-2018-8048 and CVE-2018-3740, two medium-severity XSS vulnerabilities present in these gems when built against libxml2 >= 2.9.2. --- Gemfile | 2 +- Gemfile.lock | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Gemfile b/Gemfile index fe5bf572c..8bc28b893 100644 --- a/Gemfile +++ b/Gemfile @@ -71,7 +71,7 @@ gem 'mario-redis-lock', '~> 1.2', require: 'redis_lock' gem 'rqrcode', '~> 0.10' gem 'ruby-oembed', '~> 0.12', require: 'oembed' gem 'ruby-progressbar', '~> 1.4' -gem 'sanitize', '~> 4.4' +gem 'sanitize', '~> 4.6.4' gem 'sidekiq', '~> 5.0' gem 'sidekiq-scheduler', '~> 2.1' gem 'sidekiq-unique-jobs', '~> 5.0' diff --git a/Gemfile.lock b/Gemfile.lock index ca6365c74..7360ce7f6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -288,7 +288,7 @@ GEM activesupport (>= 4, < 5.2) railties (>= 4, < 5.2) request_store (~> 1.0) - loofah (2.1.1) + loofah (2.2.1) crass (~> 1.0.2) nokogiri (>= 1.5.9) mail (2.7.0) @@ -316,9 +316,9 @@ GEM net-ssh (>= 2.6.5) net-ssh (4.2.0) nio4r (2.1.0) - nokogiri (1.8.1) + nokogiri (1.8.2) mini_portile2 (~> 2.3.0) - nokogumbo (1.4.13) + nokogumbo (1.5.0) nokogiri nsa (0.2.4) activesupport (>= 4.2, < 6) @@ -496,10 +496,10 @@ GEM rufus-scheduler (3.4.2) et-orbi (~> 1.0) safe_yaml (1.0.4) - sanitize (4.5.0) + sanitize (4.6.4) crass (~> 1.0.2) nokogiri (>= 1.4.4) - nokogumbo (~> 1.4.1) + nokogumbo (~> 1.4) sass (3.5.3) sass-listen (~> 4.0.0) sass-listen (4.0.0) @@ -699,7 +699,7 @@ DEPENDENCIES rubocop ruby-oembed (~> 0.12) ruby-progressbar (~> 1.4) - sanitize (~> 4.4) + sanitize (~> 4.6.4) scss_lint (~> 0.55) sidekiq (~> 5.0) sidekiq-bulk (~> 0.1.1)