summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorlain <lain@soykaf.club>2019-05-31 19:08:14 +0200
committerlain <lain@soykaf.club>2019-05-31 19:08:14 +0200
commite2c72e53906a75f4a69a312129aa644c3a2fcd39 (patch)
tree01ebea44c66851c8a052cb24f1cf760035663bb6
parent3591b7c1529be2703b7dfbb1f88390e596e11ef9 (diff)
parentf061d551a97ed35114ee47c3baf61cf7c376983d (diff)
Merge branch 'hotfix-0.9.99999'v0.9.99999
-rw-r--r--CHANGELOG.md22
-rw-r--r--README.md2
-rw-r--r--lib/pleroma/html.ex43
-rw-r--r--lib/pleroma/web/activity_pub/activity_pub.ex27
-rw-r--r--lib/pleroma/web/activity_pub/transmogrifier.ex8
-rw-r--r--mix.exs2
-rw-r--r--test/html_test.exs71
-rw-r--r--test/web/activity_pub/activity_pub_test.exs29
-rw-r--r--test/web/activity_pub/transmogrifier_test.exs40
-rw-r--r--test/web/mastodon_api/mastodon_api_controller_test.exs2
-rw-r--r--test/web/mastodon_api/status_view_test.exs2
-rw-r--r--test/web/twitter_api/views/activity_view_test.exs2
12 files changed, 224 insertions, 26 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7509ca325..f649e01df 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,26 @@
# Changelog
+=======
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+## [0.9.99999] - 2019-05-31
+### Security
+- Mastodon API: Fix lists leaking private posts
+- HTML escaping: Lock down allowed class attributes to only those related to microformats
+
+## [0.9.9999] - 2019-04-05
+### Security
+- Mastodon API: Fix content warnings skipping HTML sanitization
+
+## [0.9.999] - 2019-03-13
+Frontend changes only.
+### Added
+- Added floating action button for posting status on mobile
+### Changed
+- Changed user-settings icon to a pencil
+### Fixed
+- Keyboard shortcuts activating when typing a message
+- Gaps when scrolling down on a timeline after showing new
## [0.9.99] - 2019-03-08
### Changed
diff --git a/README.md b/README.md
index c6720ec4e..deef1712b 100644
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@ Client applications that are known to work well:
* Tootle (iOS, No Streaming)
* Whalebird (Windows + Mac + Linux)
-This is the 0.9.9999 release.
+This is the 0.9.99999 release.
If you want to run your own server, feel free to contact us in our dev chat at #pleroma on freenode or via matrix at <https://matrix.heldscal.la/#/room/#freenode_#pleroma:matrix.org>.
diff --git a/lib/pleroma/html.ex b/lib/pleroma/html.ex
index b4a4742ee..bb1817b0d 100644
--- a/lib/pleroma/html.ex
+++ b/lib/pleroma/html.ex
@@ -94,14 +94,31 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
# links
Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
- Meta.allow_tag_with_these_attributes("a", ["name", "title", "class"])
+
+ Meta.allow_tag_with_this_attribute_values("a", "class", [
+ "hashtag",
+ "u-url",
+ "mention",
+ "u-url mention",
+ "mention u-url"
+ ])
+
+ Meta.allow_tag_with_this_attribute_values("a", "rel", [
+ "tag",
+ "nofollow",
+ "noopener",
+ "noreferrer"
+ ])
+
+ Meta.allow_tag_with_these_attributes("a", ["name", "title"])
# paragraphs and linebreaks
Meta.allow_tag_with_these_attributes("br", [])
Meta.allow_tag_with_these_attributes("p", [])
# microformats
- Meta.allow_tag_with_these_attributes("span", ["class"])
+ Meta.allow_tag_with_this_attribute_values("span", "class", ["h-card"])
+ Meta.allow_tag_with_these_attributes("span", [])
# allow inline images for custom emoji
@allow_inline_images Keyword.get(@markup, :allow_inline_images)
@@ -135,7 +152,23 @@ defmodule Pleroma.HTML.Scrubber.Default do
Meta.strip_comments()
Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
- Meta.allow_tag_with_these_attributes("a", ["name", "title", "class"])
+
+ Meta.allow_tag_with_this_attribute_values("a", "class", [
+ "hashtag",
+ "u-url",
+ "mention",
+ "u-url mention",
+ "mention u-url"
+ ])
+
+ Meta.allow_tag_with_this_attribute_values("a", "rel", [
+ "tag",
+ "nofollow",
+ "noopener",
+ "noreferrer"
+ ])
+
+ Meta.allow_tag_with_these_attributes("a", ["name", "title"])
Meta.allow_tag_with_these_attributes("abbr", ["title"])
@@ -150,11 +183,13 @@ defmodule Pleroma.HTML.Scrubber.Default do
Meta.allow_tag_with_these_attributes("ol", [])
Meta.allow_tag_with_these_attributes("p", [])
Meta.allow_tag_with_these_attributes("pre", [])
- Meta.allow_tag_with_these_attributes("span", ["class"])
Meta.allow_tag_with_these_attributes("strong", [])
Meta.allow_tag_with_these_attributes("u", [])
Meta.allow_tag_with_these_attributes("ul", [])
+ Meta.allow_tag_with_this_attribute_values("span", "class", ["h-card"])
+ Meta.allow_tag_with_these_attributes("span", [])
+
@allow_inline_images Keyword.get(@markup, :allow_inline_images)
if @allow_inline_images do
diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex
index bd4ac6197..7eea5b447 100644
--- a/lib/pleroma/web/activity_pub/activity_pub.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub.ex
@@ -466,20 +466,6 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
defp restrict_tag(query, _), do: query
- defp restrict_to_cc(query, recipients_to, recipients_cc) do
- from(
- activity in query,
- where:
- fragment(
- "(?->'to' \\?| ?) or (?->'cc' \\?| ?)",
- activity.data,
- ^recipients_to,
- activity.data,
- ^recipients_cc
- )
- )
- end
-
defp restrict_recipients(query, [], _user), do: query
defp restrict_recipients(query, recipients, nil) do
@@ -629,9 +615,18 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
|> Enum.reverse()
end
- def fetch_activities_bounded(recipients_to, recipients_cc, opts \\ %{}) do
+ def fetch_activities_bounded_query(query, recipients, recipients_with_public) do
+ from(activity in query,
+ where:
+ fragment("? && ?", activity.recipients, ^recipients) or
+ (fragment("? && ?", activity.recipients, ^recipients_with_public) and
+ "https://www.w3.org/ns/activitystreams#Public" in activity.recipients)
+ )
+ end
+
+ def fetch_activities_bounded(recipients, recipients_with_public, opts \\ %{}) do
fetch_activities_query([], opts)
- |> restrict_to_cc(recipients_to, recipients_cc)
+ |> fetch_activities_bounded_query(recipients, recipients_with_public)
|> Repo.all()
|> Enum.reverse()
end
diff --git a/lib/pleroma/web/activity_pub/transmogrifier.ex b/lib/pleroma/web/activity_pub/transmogrifier.ex
index 7151efdeb..1829b93d7 100644
--- a/lib/pleroma/web/activity_pub/transmogrifier.ex
+++ b/lib/pleroma/web/activity_pub/transmogrifier.ex
@@ -121,7 +121,10 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
object
|> Utils.determine_explicit_mentions()
- explicit_mentions = explicit_mentions ++ ["https://www.w3.org/ns/activitystreams#Public"]
+ follower_collection = User.get_cached_by_ap_id(get_actor(object)).follower_address
+
+ explicit_mentions =
+ explicit_mentions ++ ["https://www.w3.org/ns/activitystreams#Public", follower_collection]
object
|> fix_explicit_addressing(explicit_mentions)
@@ -367,6 +370,9 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
when objtype in ["Article", "Note", "Video", "Page"] do
actor = get_actor(data)
+ # Temporary to make 0.99999 hotfix work
+ User.get_or_fetch_by_ap_id(actor)
+
data =
Map.put(data, "actor", actor)
|> fix_addressing
diff --git a/mix.exs b/mix.exs
index 5a253817a..211fc9ec2 100644
--- a/mix.exs
+++ b/mix.exs
@@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
def project do
[
app: :pleroma,
- version: version("0.9.9999"),
+ version: version("0.9.99999"),
elixir: "~> 1.7",
elixirc_paths: elixirc_paths(Mix.env()),
compilers: [:phoenix, :gettext] ++ Mix.compilers(),
diff --git a/test/html_test.exs b/test/html_test.exs
index 29cab17f3..f98e7745f 100644
--- a/test/html_test.exs
+++ b/test/html_test.exs
@@ -18,6 +18,18 @@ defmodule Pleroma.HTMLTest do
<img src="http://example.com/image.jpg" onerror="alert('hacked')">
"""
+ @html_span_class_sample """
+ <span class="animate-spin">hi</span>
+ """
+
+ @html_span_microformats_sample """
+ <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
+ """
+
+ @html_span_invalid_microformats_sample """
+ <span class="h-card"><a class="u-url mention animate-spin">@<span>foo</span></a></span>
+ """
+
describe "StripTags scrubber" do
test "works as expected" do
expected = """
@@ -58,6 +70,36 @@ defmodule Pleroma.HTMLTest do
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
end
+
+ test "does not allow spans with invalid classes" do
+ expected = """
+ <span>hi</span>
+ """
+
+ assert expected ==
+ HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
+ end
+
+ test "does allow microformats" do
+ expected = """
+ <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
+ """
+
+ assert expected ==
+ HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.TwitterText)
+ end
+
+ test "filters invalid microformats markup" do
+ expected = """
+ <span class="h-card"><a>@<span>foo</span></a></span>
+ """
+
+ assert expected ==
+ HTML.filter_tags(
+ @html_span_invalid_microformats_sample,
+ Pleroma.HTML.Scrubber.TwitterText
+ )
+ end
end
describe "default scrubber" do
@@ -80,5 +122,34 @@ defmodule Pleroma.HTMLTest do
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
end
+
+ test "does not allow spans with invalid classes" do
+ expected = """
+ <span>hi</span>
+ """
+
+ assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
+ end
+
+ test "does allow microformats" do
+ expected = """
+ <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
+ """
+
+ assert expected ==
+ HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.Default)
+ end
+
+ test "filters invalid microformats markup" do
+ expected = """
+ <span class="h-card"><a>@<span>foo</span></a></span>
+ """
+
+ assert expected ==
+ HTML.filter_tags(
+ @html_span_invalid_microformats_sample,
+ Pleroma.HTML.Scrubber.Default
+ )
+ end
end
end
diff --git a/test/web/activity_pub/activity_pub_test.exs b/test/web/activity_pub/activity_pub_test.exs
index a55961ac4..5b4e91376 100644
--- a/test/web/activity_pub/activity_pub_test.exs
+++ b/test/web/activity_pub/activity_pub_test.exs
@@ -809,4 +809,33 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
def data_uri do
File.read!("test/fixtures/avatar_data_uri")
end
+
+ describe "fetch_activities_bounded" do
+ test "fetches private posts for followed users" do
+ user = insert(:user)
+
+ {:ok, activity} =
+ CommonAPI.post(user, %{
+ "status" => "thought I looked cute might delete later :3",
+ "visibility" => "private"
+ })
+
+ [result] = ActivityPub.fetch_activities_bounded([user.follower_address], [])
+ assert result.id == activity.id
+ end
+
+ test "fetches only public posts for other users" do
+ user = insert(:user)
+ {:ok, activity} = CommonAPI.post(user, %{"status" => "#cofe", "visibility" => "public"})
+
+ {:ok, _private_activity} =
+ CommonAPI.post(user, %{
+ "status" => "why is tenshi eating a corndog so cute?",
+ "visibility" => "private"
+ })
+
+ [result] = ActivityPub.fetch_activities_bounded([], [user.follower_address])
+ assert result.id == activity.id
+ end
+ end
end
diff --git a/test/web/activity_pub/transmogrifier_test.exs b/test/web/activity_pub/transmogrifier_test.exs
index e5e3c8d33..38f52f983 100644
--- a/test/web/activity_pub/transmogrifier_test.exs
+++ b/test/web/activity_pub/transmogrifier_test.exs
@@ -1128,4 +1128,44 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
)
end
end
+
+ describe "fix_explicit_addressing" do
+ test "moves non-explicitly mentioned actors to cc" do
+ user = insert(:user)
+
+ explicitly_mentioned_actors = [
+ "https://pleroma.gold/users/user1",
+ "https://pleroma.gold/user2"
+ ]
+
+ object = %{
+ "actor" => user.ap_id,
+ "to" => explicitly_mentioned_actors ++ ["https://social.beepboop.ga/users/dirb"],
+ "cc" => [],
+ "tag" =>
+ Enum.map(explicitly_mentioned_actors, fn href ->
+ %{"type" => "Mention", "href" => href}
+ end)
+ }
+
+ fixed_object = Transmogrifier.fix_explicit_addressing(object)
+ assert Enum.all?(explicitly_mentioned_actors, &(&1 in fixed_object["to"]))
+ refute "https://social.beepboop.ga/users/dirb" in fixed_object["to"]
+ assert "https://social.beepboop.ga/users/dirb" in fixed_object["cc"]
+ end
+
+ test "does not move actor's follower collection to cc" do
+ user = insert(:user)
+
+ object = %{
+ "actor" => user.ap_id,
+ "to" => [user.follower_address],
+ "cc" => []
+ }
+
+ fixed_object = Transmogrifier.fix_explicit_addressing(object)
+ assert user.follower_address in fixed_object["to"]
+ refute user.follower_address in fixed_object["cc"]
+ end
+ end
end
diff --git a/test/web/mastodon_api/mastodon_api_controller_test.exs b/test/web/mastodon_api/mastodon_api_controller_test.exs
index f8da86004..9daa26410 100644
--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@@ -1461,7 +1461,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
assert user = json_response(conn, 200)
assert user["note"] ==
- "I drink <a class=\"hashtag\" data-tag=\"cofe\" href=\"http://localhost:4001/tag/cofe\">#cofe</a> with <span class=\"h-card\"><a data-user=\"#{
+ "I drink <a class=\"hashtag\" data-tag=\"cofe\" href=\"http://localhost:4001/tag/cofe\" rel=\"tag\">#cofe</a> with <span class=\"h-card\"><a data-user=\"#{
user2.id
}\" class=\"u-url mention\" href=\"#{user2.ap_id}\">@<span>#{user2.nickname}</span></a></span>"
end
diff --git a/test/web/mastodon_api/status_view_test.exs b/test/web/mastodon_api/status_view_test.exs
index 9249424cd..a4d054486 100644
--- a/test/web/mastodon_api/status_view_test.exs
+++ b/test/web/mastodon_api/status_view_test.exs
@@ -94,7 +94,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusViewTest do
card: nil,
reblog: nil,
content:
- "cool test :firefox: <a class=\"hashtag\" data-tag=\"yeah\" href=\"http://localhost:4001/tag/yeah\">#yeah</a>",
+ "cool test :firefox: <a class=\"hashtag\" data-tag=\"yeah\" href=\"http://localhost:4001/tag/yeah\" rel=\"tag\">#yeah</a>",
created_at: created_at,
reblogs_count: 0,
replies_count: 0,
diff --git a/test/web/twitter_api/views/activity_view_test.exs b/test/web/twitter_api/views/activity_view_test.exs
index 4f854ecaa..47e2e1038 100644
--- a/test/web/twitter_api/views/activity_view_test.exs
+++ b/test/web/twitter_api/views/activity_view_test.exs
@@ -66,7 +66,7 @@ defmodule Pleroma.Web.TwitterAPI.ActivityViewTest do
result = ActivityView.render("activity.json", activity: activity)
assert result["statusnet_html"] ==
- "<a class=\"hashtag\" data-tag=\"bike\" href=\"http://localhost:4001/tag/bike\">#Bike</a> log - Commute Tuesday<br /><a href=\"https://pla.bike/posts/20181211/\">https://pla.bike/posts/20181211/</a><br /><a class=\"hashtag\" data-tag=\"cycling\" href=\"http://localhost:4001/tag/cycling\">#cycling</a> <a class=\"hashtag\" data-tag=\"chscycling\" href=\"http://localhost:4001/tag/chscycling\">#CHScycling</a> <a class=\"hashtag\" data-tag=\"commute\" href=\"http://localhost:4001/tag/commute\">#commute</a><br />MVIMG_20181211_054020.jpg"
+ "<a class=\"hashtag\" data-tag=\"bike\" href=\"http://localhost:4001/tag/bike\" rel=\"tag\">#Bike</a> log - Commute Tuesday<br /><a href=\"https://pla.bike/posts/20181211/\">https://pla.bike/posts/20181211/</a><br /><a class=\"hashtag\" data-tag=\"cycling\" href=\"http://localhost:4001/tag/cycling\" rel=\"tag\">#cycling</a> <a class=\"hashtag\" data-tag=\"chscycling\" href=\"http://localhost:4001/tag/chscycling\" rel=\"tag\">#CHScycling</a> <a class=\"hashtag\" data-tag=\"commute\" href=\"http://localhost:4001/tag/commute\" rel=\"tag\">#commute</a><br />MVIMG_20181211_054020.jpg"
assert result["text"] ==
"#Bike log - Commute Tuesday\nhttps://pla.bike/posts/20181211/\n#cycling #CHScycling #commute\nMVIMG_20181211_054020.jpg"