Merge branch 'main' of https://github.com/glitch-soc/mastodon

Author: TheEssem

.simplecov

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-SimpleCov.start 'rails' do
+SimpleCov.configure do
   # During parallel runs, ensure unique names for post-run merge
   command_name "job-#{ENV['TEST_ENV_NUMBER']}" if ENV['TEST_ENV_NUMBER']
 

CHANGELOG.md

@@ -2,6 +2,18 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.5.11] - 2026-06-03
+
+### Security
+
+- Fix allowed attribution domains spoofing ([GHSA-rwcw-vq68-g34p](https://github.com/mastodon/mastodon/security/advisories/GHSA-rwcw-vq68-g34p))
+- Fix uncaught exception in message sanitization causing Denial of Service ([GHSA-qrgq-9fx2-vf2r](https://github.com/mastodon/mastodon/security/advisories/GHSA-qrgq-9fx2-vf2r))
+- Update dependencies
+
+### Fixed
+
+- Fix remote statuses with large media descriptions being rejected (#39135 by @ClearlyClaire)
+
 ## [4.5.10] - 2026-05-20
 
 ### Security

Gemfile

@@ -45,7 +45,7 @@ gem 'omniauth-saml', '~> 2.0'
 
 gem 'color_diff', '~> 0.1'
 gem 'csv', '~> 3.2'
-gem 'discard', '~> 1.2'
+gem 'discard', '~> 2.0'
 gem 'doorkeeper', '~> 5.6'
 gem 'faraday-httpclient'
 gem 'fast_blank', '~> 1.0'
@@ -231,6 +231,6 @@ gem 'hcaptcha', '~> 7.1'
 
 gem 'mail', '~> 2.8'
 
-gem 'vite_rails', '~> 3.0.19'
+gem 'vite_rails'
 
 gem 'prism'

Gemfile.lock

@@ -107,7 +107,7 @@ GEM
     ast (2.4.3)
     attr_required (1.0.2)
     aws-eventstream (1.4.0)
-    aws-partitions (1.1254.0)
+    aws-partitions (1.1255.0)
     aws-sdk-core (3.250.0)
       aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.992.0)
@@ -116,11 +116,11 @@ GEM
       bigdecimal
       jmespath (~> 1, >= 1.6.1)
       logger
-    aws-sdk-kms (1.125.0)
-      aws-sdk-core (~> 3, >= 3.247.0)
+    aws-sdk-kms (1.128.0)
+      aws-sdk-core (~> 3, >= 3.248.0)
       aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.222.0)
-      aws-sdk-core (~> 3, >= 3.247.0)
+    aws-sdk-s3 (1.224.0)
+      aws-sdk-core (~> 3, >= 3.248.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)
     aws-sigv4 (1.12.1)
@@ -213,8 +213,8 @@ GEM
       devise (>= 4.0.0)
       rpam2 (~> 4.0)
     diff-lcs (1.6.2)
-    discard (1.4.0)
-      activerecord (>= 4.2, < 9.0)
+    discard (2.0.0)
+      activerecord (>= 7.0, < 9.0)
     docile (1.4.1)
     domain_name (0.6.20240107)
     doorkeeper (5.9.0)
@@ -362,7 +362,7 @@ GEM
       azure-blob (~> 0.5.2)
       hashie (~> 5.0)
     jmespath (1.6.2)
-    json (2.19.5)
+    json (2.19.7)
     json-canonicalization (1.0.0)
     json-jwt (1.17.0)
       activesupport (>= 4.2)
@@ -655,7 +655,7 @@ GEM
       base64 (>= 0.1.0)
       logger (>= 1.6.0)
       rack (>= 3.0.0, < 4)
-    rack-proxy (0.7.7)
+    rack-proxy (0.8.2)
       rack
     rack-session (2.1.2)
       base64 (>= 0.1.0)
@@ -763,7 +763,7 @@ GEM
       rspec-mocks (~> 3.0)
       sidekiq (>= 5, < 9)
     rspec-support (3.13.7)
-    rubocop (1.86.2)
+    rubocop (1.87.0)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -787,7 +787,7 @@ GEM
       lint_roller (~> 1.1)
       rubocop (>= 1.75.0, < 2.0)
       rubocop-ast (>= 1.47.1, < 2.0)
-    rubocop-rails (2.35.2)
+    rubocop-rails (2.35.3)
       activesupport (>= 4.2.0)
       lint_roller (~> 1.1)
       rack (>= 1.1)
@@ -810,7 +810,7 @@ GEM
     ruby-vips (2.3.0)
       ffi (~> 1.12)
       logger
-    rubyzip (3.3.0)
+    rubyzip (3.3.1)
     rufus-scheduler (3.9.2)
       fugit (~> 1.1, >= 1.11.1)
     safety_net_attestation (0.5.0)
@@ -909,7 +909,7 @@ GEM
     validate_url (1.0.15)
       activemodel (>= 3.0.0)
       public_suffix
-    vite_rails (3.0.20)
+    vite_rails (3.11.0)
       railties (>= 5.1, < 9)
       vite_ruby (~> 3.0, >= 3.2.2)
     vite_ruby (3.10.2)
@@ -945,7 +945,7 @@ GEM
     xorcist (1.1.3)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.7.5)
+    zeitwerk (2.8.2)
 
 PLATFORMS
   ruby
@@ -978,7 +978,7 @@ DEPENDENCIES
   devise
   devise-two-factor
   devise_pam_authenticatable2 (~> 9.2)
-  discard (~> 1.2)
+  discard (~> 2.0)
   doorkeeper (~> 5.6)
   dotenv
   fabrication
@@ -1099,7 +1099,7 @@ DEPENDENCIES
   tty-prompt (~> 0.23)
   twitter-text (~> 3.1.0)
   tzinfo-data (~> 1.2023)
-  vite_rails (~> 3.0.19)
+  vite_rails
   webauthn (~> 3.0)
   webmock (~> 3.18)
   webpush!

app/controllers/admin/custom_emojis_controller.rb

@@ -5,9 +5,6 @@ class CustomEmojisController < BaseController
     def index
       authorize :custom_emoji, :index?
 
-      # If filtering by local emojis, remove by_domain filter.
-      params.delete(:by_domain) if params[:local].present?
-
       # If filtering by domain, ensure remote filter is set.
       if params[:by_domain].present?
         params.delete(:local)

app/controllers/concerns/settings/export_controller_concern.rb

@@ -19,15 +19,12 @@ def load_export
 
   def send_export_file
     respond_to do |format|
-      format.csv { send_data export_data, filename: export_filename }
+      format.csv { send_data export_data, filename: "#{controller_name}.csv" }
+      format.json { send_data export_data, filename: "#{controller_name}.json" }
     end
   end
 
   def export_data
     raise 'Override in controller'
   end
-
-  def export_filename
-    "#{controller_name}.csv"
-  end
 end

app/controllers/concerns/signature_verification.rb

@@ -157,7 +157,7 @@ def keypair_refresh_key!(keypair)
   end
 
   def check_keypair_validity!(keypair)
-    raise Mastodon::SignatureVerification, "Key #{signature_key_id} is revoked" if keypair.revoked?
-    raise Mastodon::SignatureVerification, "Key #{signature_key_id} has expired" if keypair.expired?
+    raise Mastodon::SignatureVerificationError, "Key #{signature_key_id} is revoked" if keypair.revoked?
+    raise Mastodon::SignatureVerificationError, "Key #{signature_key_id} has expired" if keypair.expired?
   end
 end

app/controllers/settings/exports/custom_filters_controller.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Settings
+  module Exports
+    class CustomFiltersController < BaseController
+      include Settings::ExportControllerConcern
+
+      def index
+        send_export_file
+      end
+
+      private
+
+      def export_data
+        @export.to_custom_filters_json
+      end
+    end
+  end
+end

app/helpers/context_helper.rb

@@ -27,7 +27,7 @@ module ContextHelper
     memorial: { 'toot' => 'http://joinmastodon.org/ns#', 'memorial' => 'toot:memorial' },
     voters_count: { 'toot' => 'http://joinmastodon.org/ns#', 'votersCount' => 'toot:votersCount' },
     suspended: { 'toot' => 'http://joinmastodon.org/ns#', 'suspended' => 'toot:suspended' },
-    attribution_domains: { 'toot' => 'http://joinmastodon.org/ns#', 'attributionDomains' => { '@id' => 'toot:attributionDomains', '@type' => '@id' } },
+    attribution_domains: { 'toot' => 'http://joinmastodon.org/ns#', 'attributionDomains' => { '@id' => 'toot:attributionDomains', '@container' => '@set' } },
     profile_settings: {
       'toot' => 'http://joinmastodon.org/ns#',
       'showFeatured' => 'toot:showFeatured',

app/javascript/flavours/glitch/components/empty_state/empty_state.module.scss

@@ -13,7 +13,7 @@
 .content {
   max-width: 370px;
 
-  :where(svg, img) {
+  > :where(svg, img) {
     width: 200px;
     aspect-ratio: 1;
     object-fit: contain;