From 6bdc9866b71fe59f971c3c1b0a542f95c1c53985 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Miko=C5=82ajczak?= Date: Tue, 27 Nov 2018 16:40:39 +0100 Subject: [PATCH 1/9] security/l10n [fr] do not leak registered e-mail addresses (#9375) Do not leak existence of e-mail addresses during login attempt in French translation --- config/locales/devise.fr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/locales/devise.fr.yml b/config/locales/devise.fr.yml index b6c9e5bd8..5098de2d9 100644 --- a/config/locales/devise.fr.yml +++ b/config/locales/devise.fr.yml @@ -8,7 +8,7 @@ fr: failure: already_authenticated: Vous êtes déjà connecté⋅e. inactive: Votre compte n’est pas encore activé. - invalid: "%{authentication_keys} incorrect." + invalid: "%{authentication_keys} invalide." last_attempt: Vous avez droit à une tentative avant que votre compte ne soit verrouillé. locked: Votre compte est verrouillé. not_found_in_database: "%{authentication_keys} invalide." From cb583ff355ce7a415388963d72a144f6f326c450 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Miko=C5=82ajczak?= Date: Tue, 27 Nov 2018 17:39:41 +0100 Subject: [PATCH 2/9] Do not leak existence of e-mail addresses during login attempt, part 2 (#9376) * Do not leak existence of e-mail addresses during login attempt, part 2 * Update devise.uk.yml --- config/locales/devise.hr.yml | 2 +- config/locales/devise.uk.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/locales/devise.hr.yml b/config/locales/devise.hr.yml index 276d26cad..2a859054a 100644 --- a/config/locales/devise.hr.yml +++ b/config/locales/devise.hr.yml @@ -8,7 +8,7 @@ hr: invalid: Nevaljan %{authentication_keys} ili lozinka. last_attempt: Imaš još jedan pokušaj prije no što ti se račun zaključa. locked: Tvoj račun je zaključan. - not_found_in_database: Nevaljani %{authentication_keys} ili lozinka. + not_found_in_database: Nevaljan %{authentication_keys} ili lozinka. send_instructions: Primit ćeš email sa uputama kako potvrditi svoju email adresu za nekoliko minuta. send_paranoid_instructions: Ako tvoja email adresa postoji u našoj bazi podataka, primit ćeš email sa uputama kako ju potvrditi za nekoliko minuta. timeout: Tvoja sesija je istekla. Molimo te, prijavi se ponovo kako bi nastavio. diff --git a/config/locales/devise.uk.yml b/config/locales/devise.uk.yml index 149fc6ce5..6ec01b3d7 100644 --- a/config/locales/devise.uk.yml +++ b/config/locales/devise.uk.yml @@ -11,7 +11,7 @@ uk: invalid: Неправильний %{authentication_keys} або пароль. last_attempt: У вас є остання спроба, після якої вхід буде заблокований. locked: Ваш акаунт заблокований. - not_found_in_database: Неправильні %{authentication_keys} або пароль. + not_found_in_database: Неправильний %{authentication_keys} або пароль. timeout: Ваша сесія вичерпана. Будь ласка, зайдіть знову, щоб продовжити. unauthenticated: Для продовження Вам потрібно увійти або зареєструватися. unconfirmed: Для продовження Вам потрібно підтвердити Вашу поштову скриньку. From 43c311b3a101d7364f10365c1a7a19374d539e93 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 27 Nov 2018 18:13:36 +0100 Subject: [PATCH 3/9] Fix nil error when no DNS addresses are found for host (#9379) --- app/lib/request.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/app/lib/request.rb b/app/lib/request.rb index bb6ef4661..024fce88a 100644 --- a/app/lib/request.rb +++ b/app/lib/request.rb @@ -163,7 +163,11 @@ class Request end end - raise outer_e if outer_e + if outer_e + raise outer_e + else + raise SocketError, "No address for #{host}" + end end alias new open From 81f96c973afab8b8357651dd55bc7b086d512935 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 27 Nov 2018 18:49:37 +0100 Subject: [PATCH 4/9] Don't count suspended users in user count (#9380) Fix #7637 --- app/presenters/instance_presenter.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/presenters/instance_presenter.rb b/app/presenters/instance_presenter.rb index 093c8ff32..dc77162d4 100644 --- a/app/presenters/instance_presenter.rb +++ b/app/presenters/instance_presenter.rb @@ -18,7 +18,7 @@ class InstancePresenter end def user_count - Rails.cache.fetch('user_count') { User.confirmed.count } + Rails.cache.fetch('user_count') { User.confirmed.joins(:account).merge(Account.without_suspended).count } end def status_count From 11955600ad8ef1be41b01c5424a07975caeaaf51 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 27 Nov 2018 19:15:08 +0100 Subject: [PATCH 5/9] Skip deliveries to inboxes that have already been marked as unavailable (#9358) --- app/workers/activitypub/delivery_worker.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/workers/activitypub/delivery_worker.rb b/app/workers/activitypub/delivery_worker.rb index adbb496d9..f9c385ea3 100644 --- a/app/workers/activitypub/delivery_worker.rb +++ b/app/workers/activitypub/delivery_worker.rb @@ -11,6 +11,8 @@ class ActivityPub::DeliveryWorker HEADERS = { 'Content-Type' => 'application/activity+json' }.freeze def perform(json, source_account_id, inbox_url, options = {}) + return if DeliveryFailureTracker.unavailable?(inbox_url) + @options = options.with_indifferent_access @json = json @source_account = Account.find(source_account_id) From c39d7e7b2b80a23f8d4e1410bb1c2d6033f30af0 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 27 Nov 2018 19:46:05 +0100 Subject: [PATCH 6/9] Fix TLS handshake timeout not being enforced (#9381) Follow-up to #9329 --- app/lib/request.rb | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/app/lib/request.rb b/app/lib/request.rb index 024fce88a..4a81773e3 100644 --- a/app/lib/request.rb +++ b/app/lib/request.rb @@ -4,6 +4,16 @@ require 'ipaddr' require 'socket' require 'resolv' +# Monkey-patch the HTTP.rb timeout class to avoid using a timeout block +# around the Socket#open method, since we use our own timeout blocks inside +# that method +class HTTP::Timeout::PerOperation + def connect(socket_class, host, port, nodelay = false) + @socket = socket_class.open(host, port) + @socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1) if nodelay + end +end + class Request REQUEST_TARGET = '(request-target)' @@ -95,7 +105,11 @@ class Request end def timeout - { connect: nil, read: 10, write: 10 } + # We enforce a 1s timeout on DNS resolving, 10s timeout on socket opening + # and 5s timeout on the TLS handshake, meaning the worst case should take + # about 16s in total + + { connect: 5, read: 10, write: 10 } end def http_client From 7f68452a152563ed48eef0375dcff46e29dbab89 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" Date: Tue, 27 Nov 2018 23:34:39 +0100 Subject: [PATCH 7/9] [Security] Bump rails from 5.2.1 to 5.2.1.1 (#9383) Bumps [rails](https://github.com/rails/rails) from 5.2.1 to 5.2.1.1. **This update includes security fixes.** - [Release notes](https://github.com/rails/rails/releases) - [Commits](https://github.com/rails/rails/compare/v5.2.1...v5.2.1.1) Signed-off-by: dependabot[bot] --- Gemfile.lock | 78 ++++++++++++++++++++++++++-------------------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index d6a56ec8a..0bf4a202d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -15,25 +15,25 @@ GIT GEM remote: https://rubygems.org/ specs: - actioncable (5.2.1) - actionpack (= 5.2.1) + actioncable (5.2.1.1) + actionpack (= 5.2.1.1) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailer (5.2.1) - actionpack (= 5.2.1) - actionview (= 5.2.1) - activejob (= 5.2.1) + actionmailer (5.2.1.1) + actionpack (= 5.2.1.1) + actionview (= 5.2.1.1) + activejob (= 5.2.1.1) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (5.2.1) - actionview (= 5.2.1) - activesupport (= 5.2.1) + actionpack (5.2.1.1) + actionview (= 5.2.1.1) + activesupport (= 5.2.1.1) rack (~> 2.0) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (5.2.1) - activesupport (= 5.2.1) + actionview (5.2.1.1) + activesupport (= 5.2.1.1) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) @@ -44,20 +44,20 @@ GEM case_transform (>= 0.2) jsonapi-renderer (>= 0.1.1.beta1, < 0.3) active_record_query_trace (1.5.4) - activejob (5.2.1) - activesupport (= 5.2.1) + activejob (5.2.1.1) + activesupport (= 5.2.1.1) globalid (>= 0.3.6) - activemodel (5.2.1) - activesupport (= 5.2.1) - activerecord (5.2.1) - activemodel (= 5.2.1) - activesupport (= 5.2.1) + activemodel (5.2.1.1) + activesupport (= 5.2.1.1) + activerecord (5.2.1.1) + activemodel (= 5.2.1.1) + activesupport (= 5.2.1.1) arel (>= 9.0) - activestorage (5.2.1) - actionpack (= 5.2.1) - activerecord (= 5.2.1) + activestorage (5.2.1.1) + actionpack (= 5.2.1.1) + activerecord (= 5.2.1.1) marcel (~> 0.3.1) - activesupport (5.2.1) + activesupport (5.2.1.1) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 0.7, < 2) minitest (~> 5.1) @@ -321,16 +321,16 @@ GEM loofah (2.2.3) crass (~> 1.0.2) nokogiri (>= 1.5.9) - mail (2.7.0) + mail (2.7.1) mini_mime (>= 0.1.1) makara (0.4.0) activerecord (>= 3.0.0) - marcel (0.3.2) + marcel (0.3.3) mimemagic (~> 0.3.2) mario-redis-lock (1.2.1) redis (>= 3.0.5) memory_profiler (0.9.12) - method_source (0.9.1) + method_source (0.9.2) microformats (4.0.7) json nokogiri @@ -429,18 +429,18 @@ GEM rack rack-test (1.1.0) rack (>= 1.0, < 3) - rails (5.2.1) - actioncable (= 5.2.1) - actionmailer (= 5.2.1) - actionpack (= 5.2.1) - actionview (= 5.2.1) - activejob (= 5.2.1) - activemodel (= 5.2.1) - activerecord (= 5.2.1) - activestorage (= 5.2.1) - activesupport (= 5.2.1) + rails (5.2.1.1) + actioncable (= 5.2.1.1) + actionmailer (= 5.2.1.1) + actionpack (= 5.2.1.1) + actionview (= 5.2.1.1) + activejob (= 5.2.1.1) + activemodel (= 5.2.1.1) + activerecord (= 5.2.1.1) + activestorage (= 5.2.1.1) + activesupport (= 5.2.1.1) bundler (>= 1.3.0) - railties (= 5.2.1) + railties (= 5.2.1.1) sprockets-rails (>= 2.0.0) rails-controller-testing (1.0.2) actionpack (~> 5.x, >= 5.0.1) @@ -456,9 +456,9 @@ GEM railties (>= 5.0, < 6) rails-settings-cached (0.6.6) rails (>= 4.2.0) - railties (5.2.1) - actionpack (= 5.2.1) - activesupport (= 5.2.1) + railties (5.2.1.1) + actionpack (= 5.2.1.1) + activesupport (= 5.2.1.1) method_source rake (>= 0.8.7) thor (>= 0.19.0, < 2.0) From 6fac300ea4c61af07ceb2ce2832c2397712f7857 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" Date: Wed, 28 Nov 2018 16:34:54 +0100 Subject: [PATCH 8/9] Bump aws-sdk-s3 from 1.25.0 to 1.27.0 (#9385) Bumps [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) from 1.25.0 to 1.27.0. - [Release notes](https://github.com/aws/aws-sdk-ruby/releases) - [Changelog](https://github.com/aws/aws-sdk-ruby/blob/master/gems/aws-sdk-s3/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-ruby/commits) Signed-off-by: dependabot[bot] --- Gemfile | 2 +- Gemfile.lock | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Gemfile b/Gemfile index 6939d8a3e..cb5f075c1 100644 --- a/Gemfile +++ b/Gemfile @@ -15,7 +15,7 @@ gem 'makara', '~> 0.4' gem 'pghero', '~> 2.2' gem 'dotenv-rails', '~> 2.5' -gem 'aws-sdk-s3', '~> 1.25', require: false +gem 'aws-sdk-s3', '~> 1.27', require: false gem 'fog-core', '<= 2.1.0' gem 'fog-openstack', '~> 0.3', require: false gem 'paperclip', '~> 6.0' diff --git a/Gemfile.lock b/Gemfile.lock index 0bf4a202d..d2c469756 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -76,16 +76,16 @@ GEM av (0.9.0) cocaine (~> 0.5.3) aws-eventstream (1.0.1) - aws-partitions (1.115.0) - aws-sdk-core (3.39.0) + aws-partitions (1.118.0) + aws-sdk-core (3.41.0) aws-eventstream (~> 1.0) aws-partitions (~> 1.0) aws-sigv4 (~> 1.0) jmespath (~> 1.0) - aws-sdk-kms (1.12.0) + aws-sdk-kms (1.13.0) aws-sdk-core (~> 3, >= 3.39.0) aws-sigv4 (~> 1.0) - aws-sdk-s3 (1.25.0) + aws-sdk-s3 (1.27.0) aws-sdk-core (~> 3, >= 3.39.0) aws-sdk-kms (~> 1) aws-sigv4 (~> 1.0) @@ -651,7 +651,7 @@ DEPENDENCIES active_record_query_trace (~> 1.5) addressable (~> 2.5) annotate (~> 2.7) - aws-sdk-s3 (~> 1.25) + aws-sdk-s3 (~> 1.27) better_errors (~> 2.5) binding_of_caller (~> 0.7) bootsnap (~> 1.3) From fa9f28f52d38b5cf3184d6bc77f5554b74fca348 Mon Sep 17 00:00:00 2001 From: ThibG Date: Thu, 29 Nov 2018 02:56:09 +0100 Subject: [PATCH 9/9] Swap avatar and header input fields in profile page (#9271) Fixes #9211 --- app/views/settings/profiles/show.html.haml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/views/settings/profiles/show.html.haml b/app/views/settings/profiles/show.html.haml index f5c50144b..4530ffae2 100644 --- a/app/views/settings/profiles/show.html.haml +++ b/app/views/settings/profiles/show.html.haml @@ -14,9 +14,10 @@ = render 'application/card', account: @account .fields-row__column.fields-group.fields-row__column-6 + = f.input :header, wrapper: :with_label, input_html: { accept: AccountHeader::IMAGE_MIME_TYPES.join(',') }, hint: t('simple_form.hints.defaults.header', dimensions: '1500x500', size: number_to_human_size(AccountHeader::LIMIT)) + = f.input :avatar, wrapper: :with_label, input_html: { accept: AccountAvatar::IMAGE_MIME_TYPES.join(',') }, hint: t('simple_form.hints.defaults.avatar', dimensions: '400x400', size: number_to_human_size(AccountAvatar::LIMIT)) - = f.input :header, wrapper: :with_label, input_html: { accept: AccountHeader::IMAGE_MIME_TYPES.join(',') }, hint: t('simple_form.hints.defaults.header', dimensions: '1500x500', size: number_to_human_size(AccountHeader::LIMIT)) %hr.spacer/