From 69378eac99c013a0db7d2d5ff9a54dfcc287d9ce Mon Sep 17 00:00:00 2001 From: David Leadbeater Date: Mon, 21 Nov 2022 05:28:13 +1100 Subject: [PATCH 1/3] Don't allow URLs that contain non-normalized paths to be verified (#20999) * Don't allow URLs that contain non-normalized paths to be verified This stops things like https://example.com/otheruser/../realuser where "/otheruser" appears to be the verified URL, but the actual URL being verified is "/realuser" due to the "/../". Also fix a test to use 'https', so it is testing the right thing, now that since #20304 https is required. * missing do --- app/models/account/field.rb | 3 ++- spec/models/account/field_spec.rb | 10 +++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/app/models/account/field.rb b/app/models/account/field.rb index ffc8dce80b7099..4db4cac30150b4 100644 --- a/app/models/account/field.rb +++ b/app/models/account/field.rb @@ -46,7 +46,8 @@ def verifiable? parsed_url.user.nil? && parsed_url.password.nil? && parsed_url.host.present? && - parsed_url.normalized_host == parsed_url.host + parsed_url.normalized_host == parsed_url.host && + (parsed_url.path.empty? || parsed_url.path == parsed_url.normalized_path) rescue Addressable::URI::InvalidURIError, IDN::Idna::IdnaError false end diff --git a/spec/models/account/field_spec.rb b/spec/models/account/field_spec.rb index b4beec0483b8ee..0ac9769bccf78a 100644 --- a/spec/models/account/field_spec.rb +++ b/spec/models/account/field_spec.rb @@ -67,7 +67,15 @@ end context 'for an IDN URL' do - let(:value) { 'http://twitter.com∕dougallj∕status∕1590357240443437057.ê.cc/twitter.html' } + let(:value) { 'https://twitter.com∕dougallj∕status∕1590357240443437057.ê.cc/twitter.html' } + + it 'returns false' do + expect(subject.verifiable?).to be false + end + end + + context 'for a URL with a non-normalized path' do + let(:value) { 'https://github.com/octocatxxxxxxxx/../mastodon' } it 'returns false' do expect(subject.verifiable?).to be false From 51a33ce77a32b85eaff37670c40a497aaef13e18 Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 21 Nov 2022 10:35:09 +0100 Subject: [PATCH 2/3] Fix not being able to follow more than one hashtag (#21285) Fixes regression from #20860 --- app/controllers/api/v1/tags_controller.rb | 2 +- spec/controllers/api/v1/tags_controller_spec.rb | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/app/controllers/api/v1/tags_controller.rb b/app/controllers/api/v1/tags_controller.rb index 0966ee469996f5..272362c3149d5a 100644 --- a/app/controllers/api/v1/tags_controller.rb +++ b/app/controllers/api/v1/tags_controller.rb @@ -12,7 +12,7 @@ def show end def follow - TagFollow.first_or_create!(tag: @tag, account: current_account, rate_limit: true) + TagFollow.create_with(rate_limit: true).find_or_create_by!(tag: @tag, account: current_account) render json: @tag, serializer: REST::TagSerializer end diff --git a/spec/controllers/api/v1/tags_controller_spec.rb b/spec/controllers/api/v1/tags_controller_spec.rb index ac42660dfaf64a..216faad8724a43 100644 --- a/spec/controllers/api/v1/tags_controller_spec.rb +++ b/spec/controllers/api/v1/tags_controller_spec.rb @@ -33,7 +33,11 @@ end describe 'POST #follow' do + let!(:unrelated_tag) { Fabricate(:tag) } + before do + TagFollow.create!(account: user.account, tag: unrelated_tag) + post :follow, params: { id: name } end From f343ed42ff1d288989f3a577362cc672e4cae437 Mon Sep 17 00:00:00 2001 From: BtbN Date: Tue, 22 Nov 2022 05:52:18 +0100 Subject: [PATCH 3/3] Add missing procps package to Dockerfile (#21028) The new Debian-Base does not come with this by default, making the ps based health-check in the compose file fail --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 081981d46713ae..69153c03003e81 100644 --- a/Dockerfile +++ b/Dockerfile @@ -56,6 +56,7 @@ RUN apt-get update && \ useradd -u "$UID" -g "${GID}" -m -d /opt/mastodon mastodon && \ apt-get -y --no-install-recommends install whois \ wget \ + procps \ libssl1.1 \ libpq5 \ imagemagick \