diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml index b3a8d5105..880fdfac9 100644 --- a/.github/workflows/build-image.yml +++ b/.github/workflows/build-image.yml @@ -13,9 +13,6 @@ on: jobs: build-image: runs-on: ubuntu-latest - strategy: - matrix: - os: [linux/arm64, linux/amd64] steps: - uses: actions/checkout@v2 - uses: docker/setup-qemu-action@v1 @@ -39,7 +36,7 @@ jobs: - uses: docker/build-push-action@v2 with: context: . - platforms: ${{ matrix.os }} + platforms: linux/amd64,linux/arm64 push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} cache-from: type=registry,ref=ghcr.io/${{ github.repository_owner }}/mastodon:latest diff --git a/CHANGELOG.md b/CHANGELOG.md index f0305d148..dd0ccc5f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ Changelog All notable changes to this project will be documented in this file. -## Unreleased +## [3.5.0] - 2022-03-30 ### Added - **Add support for incoming edited posts** ([Gargron](https://github.com/mastodon/mastodon/pull/16697), [Gargron](https://github.com/mastodon/mastodon/pull/17727), [Gargron](https://github.com/mastodon/mastodon/pull/17728), [Gargron](https://github.com/mastodon/mastodon/pull/17320), [Gargron](https://github.com/mastodon/mastodon/pull/17404), [Gargron](https://github.com/mastodon/mastodon/pull/17390), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17335), [Gargron](https://github.com/mastodon/mastodon/pull/17696), [Gargron](https://github.com/mastodon/mastodon/pull/17745), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17740), [Gargron](https://github.com/mastodon/mastodon/pull/17697), [Gargron](https://github.com/mastodon/mastodon/pull/17648), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17531), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17499), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17498), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17380), [Gargron](https://github.com/mastodon/mastodon/pull/17373), [Gargron](https://github.com/mastodon/mastodon/pull/17334), [Gargron](https://github.com/mastodon/mastodon/pull/17333), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17699), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17748)) @@ -197,6 +197,11 @@ All notable changes to this project will be documented in this file. - Fix hashtag autocomplete overriding user-typed case ([weex](https://github.com/mastodon/mastodon/pull/16460)) - Fix WebAuthn authentication setup to not prompt for PIN ([truongnmt](https://github.com/mastodon/mastodon/pull/16545)) +### Security + +- Fix being able to post URLs longer than 4096 characters ([Gargron](https://github.com/mastodon/mastodon/pull/17908)) +- Fix being able to bypass e-mail restrictions ([Gargron](https://github.com/mastodon/mastodon/pull/17909)) + ## [3.4.6] - 2022-02-03 ### Fixed diff --git a/app/lib/extractor.rb b/app/lib/extractor.rb index ef9407864..aea60dae5 100644 --- a/app/lib/extractor.rb +++ b/app/lib/extractor.rb @@ -1,6 +1,8 @@ # frozen_string_literal: true module Extractor + MAX_DOMAIN_LENGTH = 253 + extend Twitter::TwitterText::Extractor module_function @@ -30,6 +32,10 @@ module Extractor after = $' unless Twitter::TwitterText::Regex[:end_mention_match].match?(after) + _, domain = screen_name.split('@') + + next if domain.present? && domain.length > MAX_DOMAIN_LENGTH + start_position = match_data.char_begin(1) - 1 end_position = match_data.char_end(1) diff --git a/app/models/user.rb b/app/models/user.rb index 7c9ced6ae..76ad7d1b2 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -91,11 +91,11 @@ class User < ApplicationRecord validates :invite_request, presence: true, on: :create, if: :invite_text_required? validates :locale, inclusion: I18n.available_locales.map(&:to_s), if: :locale? - validates_with BlacklistedEmailValidator, on: :create + validates_with BlacklistedEmailValidator, if: -> { !confirmed? } validates_with EmailMxValidator, if: :validate_email_dns? validates :agreement, acceptance: { allow_nil: false, accept: [true, 'true', '1'] }, on: :create - # Those are honeypot/antispam fields + # Honeypot/anti-spam fields attr_accessor :registration_form_time, :website, :confirm_password validates_with RegistrationFormTimeValidator, on: :create diff --git a/app/validators/status_length_validator.rb b/app/validators/status_length_validator.rb index 2a3ac8862..f93450ba6 100644 --- a/app/validators/status_length_validator.rb +++ b/app/validators/status_length_validator.rb @@ -3,35 +3,57 @@ class StatusLengthValidator < ActiveModel::Validator MAX_CHARS = (ENV['MAX_TOOT_CHARS'] || 500).to_i URL_PLACEHOLDER_CHARS = 23 - URL_PLACEHOLDER = "\1#{'x' * URL_PLACEHOLDER_CHARS}" + URL_PLACEHOLDER = 'x' * 23 def validate(status) return unless status.local? && !status.reblog? - @status = status - status.errors.add(:text, I18n.t('statuses.over_character_limit', max: MAX_CHARS)) if too_long? + status.errors.add(:text, I18n.t('statuses.over_character_limit', max: MAX_CHARS)) if too_long?(status) end private - def too_long? - countable_length > MAX_CHARS + def too_long?(status) + countable_length(combined_text(status)) > MAX_CHARS end - def countable_length - total_text.mb_chars.grapheme_length + def countable_length(str) + str.mb_chars.grapheme_length end - def total_text - [@status.spoiler_text, countable_text].join + def combined_text(status) + [status.spoiler_text, countable_text(status.text)].join end - def countable_text - return '' if @status.text.nil? + def countable_text(str) + return '' if str.blank? - @status.text.dup.tap do |new_text| - new_text.gsub!(FetchLinkCardService::URL_PATTERN, URL_PLACEHOLDER) - new_text.gsub!(Account::MENTION_RE, '@\2') + # To ensure that we only give length concessions to entities that + # will be correctly parsed during formatting, we go through full + # entity extraction + + entities = Extractor.remove_overlapping_entities(Extractor.extract_urls_with_indices(str, extract_url_without_protocol: false) + Extractor.extract_mentions_or_lists_with_indices(str)) + + rewrite_entities(str, entities) do |entity| + if entity[:url] + URL_PLACEHOLDER + elsif entity[:screen_name] + "@#{entity[:screen_name].split('@').first}" + end end end + + def rewrite_entities(str, entities) + entities.sort_by! { |entity| entity[:indices].first } + result = ''.dup + + last_index = entities.reduce(0) do |index, entity| + result << str[index...entity[:indices].first] + result << yield(entity) + entity[:indices].last + end + + result << str[last_index..-1] + result + end end diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb index f44b32756..cb29e4a54 100644 --- a/lib/mastodon/version.rb +++ b/lib/mastodon/version.rb @@ -17,7 +17,7 @@ module Mastodon end def flags - 'rc3' + '' end def suffix diff --git a/spec/validators/status_length_validator_spec.rb b/spec/validators/status_length_validator_spec.rb index 643ea6d22..4c80a59e6 100644 --- a/spec/validators/status_length_validator_spec.rb +++ b/spec/validators/status_length_validator_spec.rb @@ -55,6 +55,13 @@ describe StatusLengthValidator do expect(status.errors).to have_received(:add) end + it 'does not count overly long URLs as 23 characters flat' do + text = "http://example.com/valid?#{'#foo?' * 1000}" + status = double(spoiler_text: '', text: text, errors: double(add: nil), local?: true, reblog?: false) + subject.validate(status) + expect(status.errors).to have_received(:add) + end + it 'counts only the front part of remote usernames' do username = '@alice' chars = StatusLengthValidator::MAX_CHARS - 1 - username.length @@ -64,5 +71,13 @@ describe StatusLengthValidator do subject.validate(status) expect(status.errors).to_not have_received(:add) end + + it 'does count both parts of remote usernames for overly long domains' do + text = "@alice@#{'b' * 500}.com" + status = double(spoiler_text: '', text: text, errors: double(add: nil), local?: true, reblog?: false) + + subject.validate(status) + expect(status.errors).to have_received(:add) + end end end