From bd220c32f162230d31e99bdabd30aea787a89cfc Mon Sep 17 00:00:00 2001
From: Yamagishi Kazutoshi <ykzts@desire.sh>
Date: Mon, 7 Nov 2022 00:13:53 +0900
Subject: [PATCH 01/10] Update SECURITY.md (#19869)

---
 SECURITY.md | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 9a72f3640..d2543b18d 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -10,9 +10,8 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through
 
 ## Supported Versions
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 3.5.x   | Yes                |
-| 3.4.x   | Yes                |
-| 3.3.x   | No                 |
-| < 3.3   | No                 |
+| Version | Supported |
+| ------- | ----------|
+| 4.0.x   | Yes       |
+| 3.5.x   | Yes       |
+| < 3.5   | No        |

From e53fc34e9abd8d6d3a0907fea2d0f657c5e8666c Mon Sep 17 00:00:00 2001
From: rcombs <rcombs@rcombs.me>
Date: Sun, 6 Nov 2022 20:16:10 -0600
Subject: [PATCH 02/10] Set autocomplete attr for email field on signup page
 (#19833)

The email address will be used as the "username" for sign-in purposes, so it's the value that should be stored in password managers. We can inform the password manager of this by setting `autocomplete="email"`. Without this hint, password managers may instead store the `username` field, which isn't valid for sign-in (this happens with iCloud Keychain in Safari, for instance).
---
 app/views/auth/registrations/new.html.haml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/auth/registrations/new.html.haml b/app/views/auth/registrations/new.html.haml
index 5eb3f937c..b1d52dd0c 100644
--- a/app/views/auth/registrations/new.html.haml
+++ b/app/views/auth/registrations/new.html.haml
@@ -19,7 +19,7 @@
     = f.simple_fields_for :account do |ff|
       = ff.input :display_name, wrapper: :with_label, label: false, required: false, input_html: { 'aria-label' => t('simple_form.labels.defaults.display_name'), :autocomplete => 'off', placeholder: t('simple_form.labels.defaults.display_name') }
       = ff.input :username, wrapper: :with_label, label: false, required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.username'), :autocomplete => 'off', placeholder: t('simple_form.labels.defaults.username'), pattern: '[a-zA-Z0-9_]+', maxlength: 30 }, append: "@#{site_hostname}", hint: false
-    = f.input :email, placeholder: t('simple_form.labels.defaults.email'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.email'), :autocomplete => 'off' }, hint: false
+    = f.input :email, placeholder: t('simple_form.labels.defaults.email'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.email'), :autocomplete => 'username' }, hint: false
     = f.input :password, placeholder: t('simple_form.labels.defaults.password'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.password'), :autocomplete => 'new-password', :minlength => User.password_length.first, :maxlength => User.password_length.last }, hint: false
     = f.input :password_confirmation, placeholder: t('simple_form.labels.defaults.confirm_password'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.confirm_password'), :autocomplete => 'new-password' }, hint: false
     = f.input :confirm_password, as: :string, placeholder: t('simple_form.labels.defaults.honeypot', label: t('simple_form.labels.defaults.password')), required: false, input_html: { 'aria-label' => t('simple_form.labels.defaults.honeypot', label: t('simple_form.labels.defaults.password')), :autocomplete => 'off' }, hint: false

From 8c81db5a415cce3491cb5d343709db552ad262b6 Mon Sep 17 00:00:00 2001
From: Rob Petti <rob.petti@gmail.com>
Date: Sun, 6 Nov 2022 19:16:44 -0700
Subject: [PATCH 03/10] allow /api/v1/streaming to be used as per documentation
 (#19896)

---
 dist/nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dist/nginx.conf b/dist/nginx.conf
index 716c277dd..5c16693d0 100644
--- a/dist/nginx.conf
+++ b/dist/nginx.conf
@@ -112,7 +112,7 @@ server {
     try_files $uri =404;
   }
 
-  location ^~ /api/v1/streaming/ {
+  location ^~ /api/v1/streaming {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

From 54f0f1b9efa73166d5d1dfb475b71111e2a5f2ed Mon Sep 17 00:00:00 2001
From: nightpool <nightpool@users.noreply.github.com>
Date: Sun, 6 Nov 2022 21:31:38 -0500
Subject: [PATCH 04/10] Skip Webfinger cache during migrations as well (#19883)

---
 app/models/account_migration.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/models/account_migration.rb b/app/models/account_migration.rb
index 06291c9f3..16276158d 100644
--- a/app/models/account_migration.rb
+++ b/app/models/account_migration.rb
@@ -58,7 +58,7 @@ class AccountMigration < ApplicationRecord
   private
 
   def set_target_account
-    self.target_account = ResolveAccountService.new.call(acct)
+    self.target_account = ResolveAccountService.new.call(acct, skip_cache: true)
   rescue Webfinger::Error, HTTP::Error, OpenSSL::SSL::SSLError, Mastodon::Error
     # Validation will take care of it
   end

From 4cb23234580b12750940f60afc4a2bbace8347e9 Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Mon, 7 Nov 2022 03:38:53 +0100
Subject: [PATCH 05/10] Fix crash in legacy filter creation controller (#19878)

---
 app/controllers/api/v1/filters_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/api/v1/filters_controller.rb b/app/controllers/api/v1/filters_controller.rb
index 07cd14147..149139b40 100644
--- a/app/controllers/api/v1/filters_controller.rb
+++ b/app/controllers/api/v1/filters_controller.rb
@@ -52,7 +52,7 @@ class Api::V1::FiltersController < Api::BaseController
   end
 
   def resource_params
-    params.permit(:phrase, :expires_in, :irreversible, :whole_word, context: [])
+    params.permit(:phrase, :expires_in, :irreversible, context: [])
   end
 
   def filter_params

From 34c269310d2017c3164d57c1e8631f9423092ee3 Mon Sep 17 00:00:00 2001
From: Sunny Ripert <sunny@sunfox.org>
Date: Mon, 7 Nov 2022 03:39:48 +0100
Subject: [PATCH 06/10] Fix console log error on column settings load (#19886)

---
 .../features/notifications/components/column_settings.js        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/javascript/mastodon/features/notifications/components/column_settings.js b/app/javascript/mastodon/features/notifications/components/column_settings.js
index d75fa8a02..a38f8d3c2 100644
--- a/app/javascript/mastodon/features/notifications/components/column_settings.js
+++ b/app/javascript/mastodon/features/notifications/components/column_settings.js
@@ -21,7 +21,7 @@ export default class ColumnSettings extends React.PureComponent {
     onRequestNotificationPermission: PropTypes.func,
     alertsEnabled: PropTypes.bool,
     browserSupport: PropTypes.bool,
-    browserPermission: PropTypes.bool,
+    browserPermission: PropTypes.string,
   };
 
   onPushChange = (path, checked) => {

From ffe735344bb47ad2af743ad97729db9ea9c11f60 Mon Sep 17 00:00:00 2001
From: Sunny Ripert <sunny@sunfox.org>
Date: Mon, 7 Nov 2022 03:40:04 +0100
Subject: [PATCH 07/10] Fix JavaScript console error on Getting Started column
 (#19891)

* Fix JavaScript console error on Getting Started column

* Update app/javascript/mastodon/components/column_header.js

Co-authored-by: Ilias Tsangaris <iliastsangaris@gmail.com>

Co-authored-by: Ilias Tsangaris <iliastsangaris@gmail.com>
---
 app/javascript/mastodon/components/column_header.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/javascript/mastodon/components/column_header.js b/app/javascript/mastodon/components/column_header.js
index 5b2e16627..43efa179e 100644
--- a/app/javascript/mastodon/components/column_header.js
+++ b/app/javascript/mastodon/components/column_header.js
@@ -57,7 +57,7 @@ class ColumnHeader extends React.PureComponent {
   }
 
   handleTitleClick = () => {
-    this.props.onClick();
+    this.props.onClick?.();
   }
 
   handleMoveLeft = () => {

From 02a34252ba21a405e3960da4b65c15a2c8d952f2 Mon Sep 17 00:00:00 2001
From: Jeremy Kescher <jeremy@kescher.at>
Date: Mon, 7 Nov 2022 02:40:17 +0000
Subject: [PATCH 08/10] Add null check on application in dispute viewer
 (#19851)

---
 app/views/disputes/strikes/show.html.haml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/views/disputes/strikes/show.html.haml b/app/views/disputes/strikes/show.html.haml
index 1be50331a..4a3005f72 100644
--- a/app/views/disputes/strikes/show.html.haml
+++ b/app/views/disputes/strikes/show.html.haml
@@ -59,8 +59,9 @@
                         = media_attachment.file_file_name
                 .strike-card__statuses-list__item__meta
                   %time.formatted{ datetime: status.created_at.iso8601, title: l(status.created_at) }= l(status.created_at)
-                  ·
-                  = status.application.name
+                  - unless status.application.nil?
+                    ·
+                    = status.application.name
               - else
                 .one-liner= t('disputes.strikes.status', id: status_id)
                 .strike-card__statuses-list__item__meta

From 4b7f32a2a668b7068ede7ac8eb2ac087883ba213 Mon Sep 17 00:00:00 2001
From: Sunny Ripert <sunny@sunfox.org>
Date: Mon, 7 Nov 2022 03:40:54 +0100
Subject: [PATCH 09/10] Fix double button to clear emoji search input (#19888)

---
 app/javascript/styles/mastodon/emoji_picker.scss | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/javascript/styles/mastodon/emoji_picker.scss b/app/javascript/styles/mastodon/emoji_picker.scss
index e4ec96d89..1042ddda8 100644
--- a/app/javascript/styles/mastodon/emoji_picker.scss
+++ b/app/javascript/styles/mastodon/emoji_picker.scss
@@ -132,6 +132,10 @@
     &:active {
       outline: 0 !important;
     }
+
+    &::-webkit-search-cancel-button {
+      display: none;
+    }
   }
 }
 

From a70e2cd649cbd82d534f03202fb3078a4ae1af1d Mon Sep 17 00:00:00 2001
From: Chris Rose <offbyone@github.com>
Date: Sun, 6 Nov 2022 18:57:16 -0800
Subject: [PATCH 10/10] Tag the OTP field with autocomplete for password
 managers (#19946)

This is modeled on #19833, and based on the attribute values documented
in https://developer.apple.com/documentation/security/password_autofill/enabling_password_autofill_on_an_html_input_element?language=objc
---
 .../auth/sessions/two_factor/_otp_authentication_form.html.haml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/auth/sessions/two_factor/_otp_authentication_form.html.haml b/app/views/auth/sessions/two_factor/_otp_authentication_form.html.haml
index ab2d48c0a..82f957527 100644
--- a/app/views/auth/sessions/two_factor/_otp_authentication_form.html.haml
+++ b/app/views/auth/sessions/two_factor/_otp_authentication_form.html.haml
@@ -5,7 +5,7 @@
   %p.hint.authentication-hint= t('simple_form.hints.sessions.otp')
 
   .fields-group
-    = f.input :otp_attempt, type: :number, wrapper: :with_label, label: t('simple_form.labels.defaults.otp_attempt'), input_html: { 'aria-label' => t('simple_form.labels.defaults.otp_attempt'), :autocomplete => 'off' }, autofocus: true
+    = f.input :otp_attempt, type: :number, wrapper: :with_label, label: t('simple_form.labels.defaults.otp_attempt'), input_html: { 'aria-label' => t('simple_form.labels.defaults.otp_attempt'), :autocomplete => 'one-time-code' }, autofocus: true
 
   .actions
     = f.button :button, t('auth.login'), type: :submit