Merge develop 2025-03-07

CHANGELOG.md

@@ -4,6 +4,33 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## 2.9.0
+
+### Security
+- Require HTTP signatures (if enabled) for routes used by both C2S and S2S AP API
+- Fix several spoofing vectors
+
+### Changed
+- Performance: Use 301 (permanent) redirect instead of 302 (temporary) when redirecting small images in media proxy. This allows browsers to cache the redirect response. 
+
+### Added
+- Include "published" in actor view
+- Link to exported outbox/followers/following collections in backup actor.json
+- Hashtag following
+- Allow to specify post language
+
+### Fixed
+- Verify a local Update sent through AP C2S so users can only update their own objects
+- Fix Mastodon incoming edits with inlined "likes"
+- Allow incoming "Listen" activities
+- Fix missing check for domain presence in rich media ignore_host configuration
+- Fix Rich Media parsing of TwitterCards/OpenGraph to adhere to the spec and always choose the first image if multiple are provided.
+- Fix OpenGraph/TwitterCard meta tag ordering for posts with multiple attachments
+- Fix blurhash generation crashes
+
+### Removed
+- Retire MRFs DNSRBL, FODirectReply, and QuietReply
+
 ## 2.8.0
 
 ### Changed

changelog.d/pl-fe.change

@@ -0,0 +1 @@
+Include `pl-fe` in available frontends

config/config.exs

@@ -150,7 +150,10 @@ config :mime, :types, %{
   "application/xrd+xml" => ["xrd+xml"],
   "application/jrd+json" => ["jrd+json"],
   "application/activity+json" => ["activity+json"],
-  "application/ld+json" => ["activity+json"]
+  "application/ld+json" => ["activity+json"],
+  # Can be removed when bumping MIME past 2.0.5
+  # see https://akkoma.dev/AkkomaGang/akkoma/issues/657
+  "image/apng" => ["apng"]
 }
 
 config :tesla, adapter: Tesla.Adapter.Hackney
@@ -359,7 +362,8 @@ config :pleroma, :activitypub,
   follow_handshake_timeout: 500,
   note_replies_output_limit: 5,
   sign_object_fetches: true,
-  authorized_fetch_mode: false
+  authorized_fetch_mode: false,
+  client_api_enabled: false
 
 config :pleroma, :streamer,
   workers: 3,
@@ -413,11 +417,6 @@ config :pleroma, :mrf_vocabulary,
   accept: [],
   reject: []
 
-config :pleroma, :mrf_dnsrbl,
-  nameserver: "127.0.0.1",
-  port: 53,
-  zone: "bl.pleroma.com"
-
 # threshold of 7 days
 config :pleroma, :mrf_object_age,
   threshold: 604_800,
@@ -807,6 +806,13 @@ config :pleroma, :frontends,
         "https://lily-is.land/infra/glitch-lily/-/jobs/artifacts/${ref}/download?job=build",
       "ref" => "servant",
       "build_dir" => "public"
+    },
+    "pl-fe" => %{
+      "name" => "pl-fe",
+      "git" => "https://github.com/mkljczk/pl-fe",
+      "build_url" => "https://pl.mkljczk.pl/pl-fe.zip",
+      "ref" => "develop",
+      "build_dir" => "."
     }
   }
 

config/description.exs

@@ -1772,6 +1772,11 @@ config :pleroma, :config_description, [
         type: :integer,
         description: "Following handshake timeout",
         suggestions: [500]
+      },
+      %{
+        key: :client_api_enabled,
+        type: :boolean,
+        description: "Allow client to server ActivityPub interactions"
       }
     ]
   },

config/test.exs

@@ -38,7 +38,10 @@ config :pleroma, :instance,
   external_user_synchronization: false,
   static_dir: "test/instance_static/"
 
-config :pleroma, :activitypub, sign_object_fetches: false, follow_handshake_timeout: 0
+config :pleroma, :activitypub,
+  sign_object_fetches: false,
+  follow_handshake_timeout: 0,
+  client_api_enabled: true
 
 # Configure your database
 config :pleroma, Pleroma.Repo,

docs/configuration/cheatsheet.md

@@ -98,7 +98,7 @@ To add configuration to your config file, you can copy it from the base config.
 * `moderator_privileges`: A list of privileges a moderator has (e.g. delete messages, manage reports...)
     * Possible values are the same as for `admin_privileges`
 
-## :database
+## :features
 * `improved_hashtag_timeline`: Setting to force toggle / force disable improved hashtags timeline. `:enabled` forces hashtags to be fetched from `hashtags` table for hashtags timeline. `:disabled` forces object-embedded hashtags to be used (slower). Keep it `:auto` for automatic behaviour (it is auto-set to `:enabled` [unless overridden] when HashtagsTableMigrator completes).
 
 ## Background migrations

lib/mix/tasks/pleroma/emoji.ex

@@ -93,6 +93,7 @@ defmodule Mix.Tasks.Pleroma.Emoji do
         )
 
         files = fetch_and_decode!(files_loc)
+        files_to_unzip = for({_, f} <- files, do: f)
 
         IO.puts(IO.ANSI.format(["Unpacking ", :bright, pack_name]))
 
@@ -103,17 +104,7 @@ defmodule Mix.Tasks.Pleroma.Emoji do
             pack_name
           ])
 
-        files_to_unzip =
-          Enum.map(
-            files,
-            fn {_, f} -> to_charlist(f) end
-          )
-
-        {:ok, _} =
-          :zip.unzip(binary_archive,
-            cwd: String.to_charlist(pack_path),
-            file_list: files_to_unzip
-          )
+        {:ok, _} = Pleroma.SafeZip.unzip_data(binary_archive, pack_path, files_to_unzip)
 
         IO.puts(IO.ANSI.format(["Writing pack.json for ", :bright, pack_name]))
 
@@ -201,7 +192,7 @@ defmodule Mix.Tasks.Pleroma.Emoji do
 
     tmp_pack_dir = Path.join(System.tmp_dir!(), "emoji-pack-#{name}")
 
-    {:ok, _} = :zip.unzip(binary_archive, cwd: String.to_charlist(tmp_pack_dir))
+    {:ok, _} = Pleroma.SafeZip.unzip_data(binary_archive, tmp_pack_dir)
 
     emoji_map = Pleroma.Emoji.Loader.make_shortcode_to_file_map(tmp_pack_dir, exts)
 

lib/pleroma/constants.ex

@@ -20,7 +20,8 @@ defmodule Pleroma.Constants do
       "deleted_activity_id",
       "pleroma_internal",
       "generator",
-      "rules"
+      "rules",
+      "language"
     ]
   )
 
@@ -36,10 +37,12 @@ defmodule Pleroma.Constants do
       "updated",
       "emoji",
       "content",
+      "contentMap",
       "summary",
       "sensitive",
       "attachment",
-      "generator"
+      "generator",
+      "language"
     ]
   )
 
@@ -100,7 +103,8 @@ defmodule Pleroma.Constants do
       "Announce",
       "Undo",
       "Flag",
-      "EmojiReact"
+      "EmojiReact",
+      "Listen"
     ]
   )
 

lib/pleroma/ecto_type/activity_pub/object_validators/content_language_map.ex

@@ -0,0 +1,49 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2023 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.EctoType.ActivityPub.ObjectValidators.ContentLanguageMap do
+  use Ecto.Type
+
+  import Pleroma.EctoType.ActivityPub.ObjectValidators.LanguageCode,
+    only: [good_locale_code?: 1]
+
+  def type, do: :map
+
+  def cast(%{} = object) do
+    with {status, %{} = data} when status in [:modified, :ok] <- validate_map(object) do
+      {:ok, data}
+    else
+      {_, nil} -> {:ok, nil}
+      {:error, _} -> :error
+    end
+  end
+
+  def cast(_), do: :error
+
+  def dump(data), do: {:ok, data}
+
+  def load(data), do: {:ok, data}
+
+  defp validate_map(%{} = object) do
+    {status, data} =
+      object
+      |> Enum.reduce({:ok, %{}}, fn
+        {lang, value}, {status, acc} when is_binary(lang) and is_binary(value) ->
+          if good_locale_code?(lang) do
+            {status, Map.put(acc, lang, value)}
+          else
+            {:modified, acc}
+          end
+
+        _, {_status, acc} ->
+          {:modified, acc}
+      end)
+
+    if data == %{} do
+      {status, nil}
+    else
+      {status, data}
+    end
+  end
+end

lib/pleroma/ecto_type/activity_pub/object_validators/language_code.ex

@@ -0,0 +1,27 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2023 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.EctoType.ActivityPub.ObjectValidators.LanguageCode do
+  use Ecto.Type
+
+  def type, do: :string
+
+  def cast(language) when is_binary(language) do
+    if good_locale_code?(language) do
+      {:ok, language}
+    else
+      {:error, :invalid_language}
+    end
+  end
+
+  def cast(_), do: :error
+
+  def dump(data), do: {:ok, data}
+
+  def load(data), do: {:ok, data}
+
+  def good_locale_code?(code) when is_binary(code), do: code =~ ~r<^[a-zA-Z0-9\-]+\z$>
+
+  def good_locale_code?(_code), do: false
+end