Merge branch 'develop' into phoenix1.7

2023-11-07 16:05:04 -05:00 · 2023-11-07 16:05:04 -05:00 · a0e08c6ec2
commit a0e08c6ec2
parent 63ef1dcedc 11c520607f
251 changed files with 6494 additions and 1976 deletions
--- a/changelog.d/2.6.0-mergeback.skip
+++ b/changelog.d/2.6.0-mergeback.skip
--- a/changelog.d/3126.fix
+++ b/changelog.d/3126.fix
@ -1 +0,0 @@
-MediaProxy responses now return a sandbox CSP header
--- a/changelog.d/3831.skip
+++ b/changelog.d/3831.skip
--- a/changelog.d/3848.add
+++ b/changelog.d/3848.add
@ -1 +0,0 @@
-Add OAuth scope descriptions
--- a/changelog.d/3870.skip
+++ b/changelog.d/3870.skip
--- a/changelog.d/3872.remove
+++ b/changelog.d/3872.remove
@ -1 +0,0 @@
-remove BBS/SSH feature, replaced by an external bridge.
--- a/changelog.d/3873.fix
+++ b/changelog.d/3873.fix
@ -1 +0,0 @@
-UploadedMedia: Add missing disposition_type to Content-Disposition
--- a/changelog.d/3876.skip
+++ b/changelog.d/3876.skip
--- a/changelog.d/3877.skip
+++ b/changelog.d/3877.skip
--- a/changelog.d/3878.skip
+++ b/changelog.d/3878.skip
--- a/changelog.d/3882.add
+++ b/changelog.d/3882.add
@ -1 +0,0 @@
-Allow lang attribute in status text
--- a/changelog.d/3883.fix
+++ b/changelog.d/3883.fix
@ -1 +0,0 @@
-Fix abnormal behaviour when refetching a poll
--- a/changelog.d/3891.fix
+++ b/changelog.d/3891.fix
@ -1 +0,0 @@
-OEmbed HTML tags are now filtered
--- a/changelog.d/3893.skip
+++ b/changelog.d/3893.skip
--- a/changelog.d/3896.add
+++ b/changelog.d/3896.add
@ -1 +0,0 @@
-Validate Host header for MediaProxy and Uploads and return a 302 if the base_url has changed
--- a/changelog.d/3897.add
+++ b/changelog.d/3897.add
@ -1 +0,0 @@
-OnlyMedia Upload Filter
--- a/changelog.d/3899.skip
+++ b/changelog.d/3899.skip
--- a/changelog.d/akkoma-xml-remote-entities.security
+++ b/changelog.d/akkoma-xml-remote-entities.security
@ -0,0 +1 @@
+Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
--- a/changelog.d/changelog-improve.skip
+++ b/changelog.d/changelog-improve.skip
--- a/changelog.d/check-attachment-attribution.security
+++ b/changelog.d/check-attachment-attribution.security
@ -0,0 +1 @@
+CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID
--- a/changelog.d/digest_emails.fix
+++ b/changelog.d/digest_emails.fix
@ -0,0 +1 @@
+Fix the processing of email digest jobs.
--- a/changelog.d/emoji-pack-sanitization.security
+++ b/changelog.d/emoji-pack-sanitization.security
@ -0,0 +1 @@
+Emoji pack loader sanitizes pack names
--- a/changelog.d/fix-object-test.fix
+++ b/changelog.d/fix-object-test.fix
@ -1 +0,0 @@
-Correctly handle the situation when a poll has both "anyOf" and "oneOf" but one of them being empty
--- a/changelog.d/otp_perms.security
+++ b/changelog.d/otp_perms.security
@ -0,0 +1 @@
+- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories
				`@ -1 +0,0 @@`
				`MediaProxy responses now return a sandbox CSP header`
				`@ -1 +0,0 @@`
				`remove BBS/SSH feature, replaced by an external bridge.`
				`@ -1 +0,0 @@`
				`UploadedMedia: Add missing disposition_type to Content-Disposition`
				`@ -1 +0,0 @@`
				`Fix abnormal behaviour when refetching a poll`
				`@ -1 +0,0 @@`
				`Validate Host header for MediaProxy and Uploads and return a 302 if the base_url has changed`
				`@ -0,0 +1 @@`
				`Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem`
				`@ -0,0 +1 @@`
				`CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID`
				`@ -1 +0,0 @@`
				`Correctly handle the situation when a poll has both "anyOf" and "oneOf" but one of them being empty`
				`@ -0,0 +1 @@`
				`- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories`