Commit Graph

18418 Commits

Author SHA1 Message Date
Alexei Sorokin
7d7dbe627b [AuthCrypt] Password storage and comparison improvements
Password hashes are now stored in a TEXT attribute, not limited to 199 symbols.
That limitation makes no sense as password hashes are not the kind of
information to be indexed.

Actually replace crypt() with password_verify() for password checking, current
code left password_verify() unused.

Only update passwords when they use a different algorithm from the current
default. Previously "overwrite" meant rehashing every login.

Replace the "argon" boolean option with "algorithm" and "algorithm_options" for
better configurability.
The default remains whichever is default for PHP's password_hash.
2021-07-16 19:44:37 +01:00
Diogo Cordeiro
c85feeaa1f [AuthCrypt] Update README and fix formatting 2021-07-16 19:44:37 +01:00
Diogo Cordeiro
360fc0262b [MODULES] Make settings great again
Plugin main class doesn't use this construct despite extending this class.
2021-07-16 19:44:37 +01:00
Alexei Sorokin
2d3ec87ea4 [Profile][User_group] Fix profile deletion violating foreign keys 2021-07-16 19:44:37 +01:00
Alexei Sorokin
a719684c6c [Favorite] Properly trigger DisfavorNotice on profile deletion 2021-07-16 19:44:37 +01:00
Alexei Sorokin
182f94cf6f [DATABASE][MariaDB] Fix index changes with foreign keys enabled 2021-07-16 19:44:37 +01:00
Alexei Sorokin
9ec1b667c0 [DATABASE][Schema_version] Change the hashing algorithm to SHA3-512 2021-07-16 19:44:37 +01:00
Alexei Sorokin
65b6a924bd [DATABASE] Make unprefixed schema.php a bit more DBMS-neutral 2021-07-16 19:44:37 +01:00
Diogo Cordeiro
452f05512f [ActivityPub][Explorer] More robust exception handler for invalid remote answers 2021-07-16 19:44:37 +01:00
Alexei Sorokin
b79d97c4e1 [RemoteFollow] Fix location display 2021-07-16 19:44:37 +01:00
Diogo Cordeiro
2894eb9ed2 [MEDIA] Fix headers when using x-static-delivery 2021-07-16 19:44:37 +01:00
Alexei Sorokin
8b5be9fe1b [LRDD] Fix unhandled bad data in HostMeta, LinkHTML and WebFinger 2021-07-16 19:44:37 +01:00
Diogo Cordeiro
7022d85b93 [ActivityPub][AProfile] Complete strict typing 2021-07-16 19:44:37 +01:00
Alexei Sorokin
e902a9bdfc [DATABASE] Check SQL boolean values with "IS TRUE"
This way UNKNOWN (NULL) explicitly turns to FALSE when three-valued logic is
reduced to binary.
In pgsqlschema, however, use "IS FALSE" as boolean attributes in pg_index are
non-nullable, there is no outer join and there's no clear preference for NULL
reduction.

Over-complicated constructions in TagCloud queries have been simplified, which
should not affect their performance.

Additionally, in TagCloud's lib/subscriptionspeopleselftagcloudsection.php
a typing mistake in an equi-join of "profile_tag" and "profile_list" on
"tagger" was fixed.
That regression was introduced in f446db8e2a
2021-07-16 19:44:37 +01:00
Diogo Cordeiro
a996ac797a [UserFlag] Fix type of onUserRightsCheck 2021-07-16 19:44:37 +01:00
Diogo Cordeiro
e046d4faa5 [UserFlag] Increase strict typing of main file
Run php-cs-fixer
Correct case of class name onDeleteRelated event handlers
2021-07-16 19:44:37 +01:00
Diogo Cordeiro
235122280d [ActivityPub] Increase type strictness on Explorer 2021-07-16 19:44:37 +01:00
Diogo Cordeiro
05790c124c [ActivityPub] Fix wrong type handling on AProfile:update_profile 2021-07-16 19:44:37 +01:00
Diogo Cordeiro
f1b3db8e59 [Bookmark] Fix misuse of XMLOutputter
Argument 3 passed to htmloutputter::input() must be of the type string or null, array given, called in /srv/gnusocial/plugins/Bookmark/forms/bookmark.php on line 166
2021-07-16 19:44:37 +01:00
Diogo Cordeiro
80a4811539 [ExtendedProfile] Fix misuse of XMLOutputter
Argument 1 passed to xmloutputter::text() must be of the type string, null given, called in /srv/gnusocial/plugins/ExtendedProfile/lib/extendedprofilewidget.php on line 556
2021-07-16 19:44:37 +01:00
Hugo Sales
58af4799ee [NOTICE][UI] Fix bug: Option to message "Everyone at site" when using private instance 2021-07-16 19:44:37 +01:00
Alexei Sorokin
af0ec1380e [DOCUMENTATION] Adapt the nginx config for avatars located in /file 2021-07-16 19:44:37 +01:00
Alexei Sorokin
9ba9006014 [CORE] Avoid materialisation in the TaggedProfileNoticeStream query
This is analogous to c862589dcf
2021-07-16 19:44:37 +01:00
Alexei Sorokin
e3f1667b47 [NOTICE] Update index for verbs in ProfileNoticeStream
After adding a verb condition there, MariaDB now prefers the
("created", "id", "is_local") and ("profile_id", "verb", "created", "id")
indices for that query, even though they are slow for the job.
So replace them with ("is_local", "created", "id") and
("profile_id", "verb", "created", "id") respectively.
Also fix the naming of the ("profile_id", "created", "id") index.
2021-07-16 19:44:37 +01:00
Diogo Cordeiro
b5180d6096 [ActivityPub] Fix bug introduced with 4d171b27
Too few arguments to function Activitypub_notice::create_notice()
2021-07-16 19:44:37 +01:00
Alexei Sorokin
c461030066 [RedisCache] Catch string return type from Predis\Client::setex 2021-07-16 19:44:37 +01:00
Alexei Sorokin
c50f16ba58 [CORE] Do not set "confirm_address"."user_id" to 0 by default
That breaks the foreign key constraint, it is better to just have it nullable.
2021-07-16 19:44:37 +01:00
Alexei Sorokin
cbb83a9752 [NOTICES] Revert "We want the profile stream to be as raw as possible!"
There are only three possible visible notice verbs: POST, SHARE and DELETE.
What including all verbs does is it makes limiting (FETCH FIRST) unreliable as
the query will fetch invisible stuff (like favourites) and count it in, but
nothing will be displayed.
NoticeStream only allows POST and SHARE, so this effectively removes tombstones
from the profile page like in 78a111b57d
2021-07-16 19:44:37 +01:00
Alexei Sorokin
eb647f15a7 [NOTICES] Fix InboxNoticeStream caching
Introduce a new property in CachingNoticeStream for always checking if there
are any new elements in the stream.
It would be extremely hard to blow InboxNoticeStream, so instead the database
hit will still occur, but it is be much faster than starting fresh.

This fixes a regression introduced in 36a55d8436
2021-07-16 19:44:37 +01:00
Diogo Cordeiro
8ec2af0020 [TheFreeNetwork] Fix small logic issue regarding StartTFNLookup return 2021-07-16 19:44:37 +01:00
Diogo Cordeiro
d81e795cc0 [ActivityPub][SCRIPTS] Make update profiles work with an uri 2021-07-16 19:44:37 +01:00
Diogo Cordeiro
4bbfb2dd56 [ActivityPub][QUEUES] Add Like, Undo and Delete 2021-07-16 19:44:37 +01:00
Diogo Cordeiro
2b4aaca14a [ActivityPub][INBOX][Delete] Fix misconceptions
References:
- https://socialhub.activitypub.rocks/t/the-delete-activity-and-its-misconceptions/137
- https://socialhub.activitypub.rocks/t/the-update-activity-more-than-caching/260
2021-07-16 19:44:37 +01:00
Diogo Cordeiro
64108aa51d [ActivityPub][NOTE] Do not extract actor from attributedTo
There was no checking of attributedTo, actors and referent object IDs to make
sure they exist in the same domain. Therefore, one could spoof messages from
people by doing attributedTo: whoever-i-want-to-spoof
2021-07-16 19:44:37 +01:00
Diogo Cordeiro
9f4c4edb02 [ActivityPub][Ostatus] Fetch avatars in accordance to the new media system 2021-07-16 19:44:37 +01:00
Alexei Sorokin
e9d1c5593d [CORE] Avoid materialisation in the TagNoticeStream query
The notice.created sort forced the notice_tag by notice join plain to employ
materialisation, which can have a serious performance penalty depending on the
size of the database.
Sort by notice_tag.created instead, which should be exactly the same.
2021-07-16 19:44:37 +01:00
Alexei Sorokin
d3e63bbac0 [CORE] Avoid the old "reply" relation in inboxnoticestream
All verbs for not visible notices are filtered out, so this should not
break the timeline.
Additionally, filter by profile outside of the derived relation as that shows
better performance in PostgreSQL and MariaDB both.
2021-07-16 19:44:37 +01:00
Alexei Sorokin
819ece93aa Revert "FullNoticeStream selects all verbs"
It appears this was added to display "tombstones" of deleted notices.
However, it has other side-effects and the concept of keeping them visible has
not been adopted by the wider fediverse.
2021-07-16 19:44:37 +01:00
Alexei Sorokin
26115482ef [SCHEMA] Improve timestamp storage
Avoid the use of deprecated MariaDB "zero dates" globally. If they're present
as attribute defaults somewhere, they will be replaced with NULL implicitly.
The existing "zero dates" in MariaDB storage will be left intact and this
should not present any issues.

The "timestamp" type in table definitions now corresponds to DATETIME in
MariaDB with "DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP", which
should be close enough to the original behaviour for compatibility purposes.
It is now the recommended type for "modified" attributes, because of the
update trigger on MariaDB. But there is no such trigger implemented on
PostgreSQL as of this moment.
2021-07-16 19:44:37 +01:00
Alexei Sorokin
eb993df072 [DATABASE] Fix MariaDB schema verification 2021-07-16 19:44:37 +01:00
Diogo Cordeiro
32a7cd6458 [ActivityPub][HTTPSignatures] Fix verify 2021-07-16 19:44:37 +01:00
Diogo Cordeiro
78f0ab022c [ActivityPub][Inbox] Signature verification after Actor update would always fail 2021-07-16 19:44:37 +01:00
Diogo Cordeiro
f93d8694c3 [AVATAR] Ensure this Action stays secure 2021-07-16 19:44:37 +01:00
Hugo Sales
ff75bb796b [MEDIA] Move AttachmentAction::sendFile to common_send_file
This fixed the wrong content type and status code returned by the Avatar action
2021-07-16 19:44:37 +01:00
Diogo Cordeiro
c7e1352618 [ActivityPub][Inbox] With PHP 7.3 we don't need get_all_headers workaround anymore
Furthermore, it was broken on Apache2 because the actual function
doesn't put the resulting array's key in lowercase.
2021-07-16 19:44:37 +01:00
Alexei Sorokin
ad6955e7ff [Memcached_DataObject] Check if it is possible to sort efficiently 2021-07-16 19:44:37 +01:00
Diogo Cordeiro
25f67a1ce9 [ActivityPub][Inbox] get_all_headers was nginx only 2021-07-16 19:44:37 +01:00
Diogo Cordeiro
bc1af78bf7 [TESTS] Move AcceptHeader from ActivityPub plugin to Core
Delete temporary ActivityPub tests (they were to be deleted long ago)
2021-07-16 19:44:37 +01:00
Diogo Cordeiro
8c2d87b3b8 [ExtendedProfile] Fix XML type bug 2021-07-16 19:44:37 +01:00
Diogo Cordeiro
81d50c4ec3 [FORMAT] Run php-cs-fixer on tests/ 2021-07-16 19:44:37 +01:00