From 607ce67e05885108fbcbe0e3c170718a5586044e Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Wed, 30 Mar 2022 14:34:53 +0200
Subject: [PATCH 1/4] Revert "Split build image actions (#17793)" (#17907)

This reverts commit 22eeaf2645e44ea800a6e4c4acb7bf9d72211344.
---
 .github/workflows/build-image.yml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
index 0fa28aca1..75c7b54a6 100644
--- a/.github/workflows/build-image.yml
+++ b/.github/workflows/build-image.yml
@@ -13,9 +13,6 @@ on:
 jobs:
   build-image:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        os: [linux/arm64, linux/amd64]
     steps:
       - uses: actions/checkout@v2
       - uses: docker/setup-qemu-action@v1
@@ -38,7 +35,7 @@ jobs:
       - uses: docker/build-push-action@v2
         with:
           context: .
-          platforms: ${{ matrix.os }}
+          platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           cache-from: type=registry,ref=tootsuite/mastodon:latest

From 5554ff2a1d6f451d63d03f4eb0a740d8c91455de Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Wed, 30 Mar 2022 14:45:52 +0200
Subject: [PATCH 2/4] Fix being able to bypass e-mail restrictions (#17909)

---
 app/models/user.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index f2d9c49eb..e25c0ddb0 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -91,11 +91,11 @@ class User < ApplicationRecord
   validates :invite_request, presence: true, on: :create, if: :invite_text_required?
 
   validates :locale, inclusion: I18n.available_locales.map(&:to_s), if: :locale?
-  validates_with BlacklistedEmailValidator, on: :create
+  validates_with BlacklistedEmailValidator, if: -> { !confirmed? }
   validates_with EmailMxValidator, if: :validate_email_dns?
   validates :agreement, acceptance: { allow_nil: false, accept: [true, 'true', '1'] }, on: :create
 
-  # Those are honeypot/antispam fields
+  # Honeypot/anti-spam fields
   attr_accessor :registration_form_time, :website, :confirm_password
 
   validates_with RegistrationFormTimeValidator, on: :create

From bbc7afa2a24519ac238cbcd4e8aec310a002c40e Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Wed, 30 Mar 2022 14:46:03 +0200
Subject: [PATCH 3/4] Fix being able to post URLs longer than 4096 characters
 (#17908)

---
 app/lib/extractor.rb                          |  6 +++
 app/validators/status_length_validator.rb     | 50 +++++++++++++------
 .../status_length_validator_spec.rb           | 15 ++++++
 3 files changed, 57 insertions(+), 14 deletions(-)

diff --git a/app/lib/extractor.rb b/app/lib/extractor.rb
index ef9407864..aea60dae5 100644
--- a/app/lib/extractor.rb
+++ b/app/lib/extractor.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module Extractor
+  MAX_DOMAIN_LENGTH = 253
+
   extend Twitter::TwitterText::Extractor
 
   module_function
@@ -30,6 +32,10 @@ module Extractor
       after      = $'
 
       unless Twitter::TwitterText::Regex[:end_mention_match].match?(after)
+        _, domain = screen_name.split('@')
+
+        next if domain.present? && domain.length > MAX_DOMAIN_LENGTH
+
         start_position = match_data.char_begin(1) - 1
         end_position   = match_data.char_end(1)
 
diff --git a/app/validators/status_length_validator.rb b/app/validators/status_length_validator.rb
index 4c258ec16..e107912b7 100644
--- a/app/validators/status_length_validator.rb
+++ b/app/validators/status_length_validator.rb
@@ -3,35 +3,57 @@
 class StatusLengthValidator < ActiveModel::Validator
   MAX_CHARS = 500
   URL_PLACEHOLDER_CHARS = 23
-  URL_PLACEHOLDER = "\1#{'x' * URL_PLACEHOLDER_CHARS}"
+  URL_PLACEHOLDER = 'x' * 23
 
   def validate(status)
     return unless status.local? && !status.reblog?
 
-    @status = status
-    status.errors.add(:text, I18n.t('statuses.over_character_limit', max: MAX_CHARS)) if too_long?
+    status.errors.add(:text, I18n.t('statuses.over_character_limit', max: MAX_CHARS)) if too_long?(status)
   end
 
   private
 
-  def too_long?
-    countable_length > MAX_CHARS
+  def too_long?(status)
+    countable_length(combined_text(status)) > MAX_CHARS
   end
 
-  def countable_length
-    total_text.mb_chars.grapheme_length
+  def countable_length(str)
+    str.mb_chars.grapheme_length
   end
 
-  def total_text
-    [@status.spoiler_text, countable_text].join
+  def combined_text(status)
+    [status.spoiler_text, countable_text(status.text)].join
   end
 
-  def countable_text
-    return '' if @status.text.nil?
+  def countable_text(str)
+    return '' if str.blank?
 
-    @status.text.dup.tap do |new_text|
-      new_text.gsub!(FetchLinkCardService::URL_PATTERN, URL_PLACEHOLDER)
-      new_text.gsub!(Account::MENTION_RE, '@\2')
+    # To ensure that we only give length concessions to entities that
+    # will be correctly parsed during formatting, we go through full
+    # entity extraction
+
+    entities = Extractor.remove_overlapping_entities(Extractor.extract_urls_with_indices(str, extract_url_without_protocol: false) + Extractor.extract_mentions_or_lists_with_indices(str))
+
+    rewrite_entities(str, entities) do |entity|
+      if entity[:url]
+        URL_PLACEHOLDER
+      elsif entity[:screen_name]
+        "@#{entity[:screen_name].split('@').first}"
+      end
     end
   end
+
+  def rewrite_entities(str, entities)
+    entities.sort_by! { |entity| entity[:indices].first }
+    result = ''.dup
+
+    last_index = entities.reduce(0) do |index, entity|
+      result << str[index...entity[:indices].first]
+      result << yield(entity)
+      entity[:indices].last
+    end
+
+    result << str[last_index..-1]
+    result
+  end
 end
diff --git a/spec/validators/status_length_validator_spec.rb b/spec/validators/status_length_validator_spec.rb
index bef3f29f5..db9c728a8 100644
--- a/spec/validators/status_length_validator_spec.rb
+++ b/spec/validators/status_length_validator_spec.rb
@@ -50,6 +50,13 @@ describe StatusLengthValidator do
       expect(status.errors).to have_received(:add)
     end
 
+    it 'does not count overly long URLs as 23 characters flat' do
+      text = "http://example.com/valid?#{'#foo?' * 1000}"
+      status = double(spoiler_text: '', text: text, errors: double(add: nil), local?: true, reblog?: false)
+      subject.validate(status)
+      expect(status.errors).to have_received(:add)
+    end
+
     it 'counts only the front part of remote usernames' do
       text   = ('a' * 475) + " @alice@#{'b' * 30}.com"
       status = double(spoiler_text: '', text: text, errors: double(add: nil), local?: true, reblog?: false)
@@ -57,5 +64,13 @@ describe StatusLengthValidator do
       subject.validate(status)
       expect(status.errors).to_not have_received(:add)
     end
+
+    it 'does count both parts of remote usernames for overly long domains' do
+      text   = "@alice@#{'b' * 500}.com"
+      status = double(spoiler_text: '', text: text, errors: double(add: nil), local?: true, reblog?: false)
+
+      subject.validate(status)
+      expect(status.errors).to have_received(:add)
+    end
   end
 end

From 8c7223f4eac80b5725485be742d3fa2c984f4670 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Wed, 30 Mar 2022 14:52:37 +0200
Subject: [PATCH 4/4] Bump version to 3.5.0 (#17911)

---
 CHANGELOG.md            | 7 ++++++-
 lib/mastodon/version.rb | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f0305d148..dd0ccc5f7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,7 +3,7 @@ Changelog
 
 All notable changes to this project will be documented in this file.
 
-## Unreleased
+## [3.5.0] - 2022-03-30
 ### Added
 
 - **Add support for incoming edited posts** ([Gargron](https://github.com/mastodon/mastodon/pull/16697), [Gargron](https://github.com/mastodon/mastodon/pull/17727), [Gargron](https://github.com/mastodon/mastodon/pull/17728), [Gargron](https://github.com/mastodon/mastodon/pull/17320), [Gargron](https://github.com/mastodon/mastodon/pull/17404), [Gargron](https://github.com/mastodon/mastodon/pull/17390), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17335), [Gargron](https://github.com/mastodon/mastodon/pull/17696), [Gargron](https://github.com/mastodon/mastodon/pull/17745), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17740), [Gargron](https://github.com/mastodon/mastodon/pull/17697), [Gargron](https://github.com/mastodon/mastodon/pull/17648), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17531), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17499), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17498), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17380), [Gargron](https://github.com/mastodon/mastodon/pull/17373), [Gargron](https://github.com/mastodon/mastodon/pull/17334), [Gargron](https://github.com/mastodon/mastodon/pull/17333), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17699), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17748))
@@ -197,6 +197,11 @@ All notable changes to this project will be documented in this file.
 - Fix hashtag autocomplete overriding user-typed case ([weex](https://github.com/mastodon/mastodon/pull/16460))
 - Fix WebAuthn authentication setup to not prompt for PIN ([truongnmt](https://github.com/mastodon/mastodon/pull/16545))
 
+### Security
+
+- Fix being able to post URLs longer than 4096 characters ([Gargron](https://github.com/mastodon/mastodon/pull/17908))
+- Fix being able to bypass e-mail restrictions ([Gargron](https://github.com/mastodon/mastodon/pull/17909))
+
 ## [3.4.6] - 2022-02-03
 ### Fixed
 
diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb
index b1bd692a5..256a3d3b7 100644
--- a/lib/mastodon/version.rb
+++ b/lib/mastodon/version.rb
@@ -17,7 +17,7 @@ module Mastodon
     end
 
     def flags
-      'rc3'
+      ''
     end
 
     def suffix