Your self-hosted, globally interconnected microblogging community
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 
Go to file
Eugen Rochko 21ad21cb50
Improve signature verification safeguards (#8959)
* Downcase signed_headers string before building the signed string

The HTTP Signatures draft does not mandate the “headers” field to be downcased,
but mandates the header field names to be downcased in the signed string, which
means that prior to this patch, Mastodon could fail to process signatures from
some compliant clients. It also means that it would not actually check the
Digest of non-compliant clients that wouldn't use a lowercased Digest field
name.

Thankfully, I don't know of any such client.

* Revert "Remove dead code (#8919)"

This reverts commit a00ce8c92c.

* Restore time window checking, change it to 12 hours

By checking the Date header, we can prevent replaying old vulnerable
signatures. The focus is to prevent replaying old vulnerable requests
from software that has been fixed in the meantime, so a somewhat long
window should be fine and accounts for timezone misconfiguration.

* Escape users' URLs when formatting them

Fixes possible HTML injection

* Escape all string interpolations in Formatter class

Slightly improve performance by reducing class allocations
from repeated Formatter#encode calls

* Fix code style issues
6 years ago
.circleci
.github
app Improve signature verification safeguards (#8959) 6 years ago
bin
config Set Content-Security-Policy rules through RoR's config (#8957) 6 years ago
db
dist
lib Bump version to 2.5.1 (#8953) 6 years ago
log
nanobox
public
spec Improve signature verification safeguards (#8959) 6 years ago
streaming Add check for missing tag param in streaming API (#8955) 6 years ago
vendor/assets
.buildpacks
.codeclimate.yml
.dockerignore
.editorconfig
.env.nanobox
.env.production.sample
.env.test
.env.vagrant
.eslintignore
.eslintrc.yml
.foreman
.gitattributes
.gitignore
.haml-lint.yml
.nanoignore
.nvmrc
.postcssrc.yml
.profile
.rspec
.rubocop.yml
.ruby-version
.scss-lint.yml
.slugignore
.yarnclean
AUTHORS.md
Aptfile
CHANGELOG.md Bump version to 2.5.1 (#8953) 6 years ago
CODE_OF_CONDUCT.md
CONTRIBUTING.md
Capfile
Dockerfile
Gemfile Bump better_errors from 2.4.0 to 2.5.0 (#8946) 6 years ago
Gemfile.lock Bump doorkeeper from 5.0.0 to 5.0.1 (#8954) 6 years ago
LICENSE
Procfile
Procfile.dev
README.md
Rakefile
Vagrantfile
app.json
babel.config.js
boxfile.yml
config.ru
docker-compose.yml
jest.config.js
package.json
priv-config
scalingo.json
yarn.lock

README.md

Mastodon

Build Status Code Climate Translation status

Mastodon is a free, open-source social network server based on open web protocols like ActivityPub and OStatus. The social focus of the project is a viable decentralized alternative to commercial social media silos that returns the control of the content distribution channels to the people. The technical focus of the project is a good user interface, a clean REST API for 3rd party apps and robust anti-abuse tools.

Click on the screenshot below to watch a demo of the UI:

Screenshot

Ruby on Rails is used for the back-end, while React.js and Redux are used for the dynamic front-end. A static front-end for public resources (profiles and statuses) is also provided.

If you would like, you can support the development of this project on Patreon.


Resources

Features

No vendor lock-in: Fully interoperable with any conforming platform

It doesn't have to be Mastodon, whatever implements ActivityPub or OStatus is part of the social network!

Real-time timeline updates

See the updates of people you're following appear in real-time in the UI via WebSockets. There's a firehose view as well!

Federated thread resolving

If someone you follow replies to a user unknown to the server, the server fetches the full thread so you can view it without leaving the UI

Media attachments like images and short videos

Upload and view images and WebM/MP4 videos attached to the updates. Videos with no audio track are treated like GIFs; normal videos are looped - like vines!

OAuth2 and a straightforward REST API

Mastodon acts as an OAuth2 provider so 3rd party apps can use the API

Fast response times

Mastodon tries to be as fast and responsive as possible, so all long-running tasks are delegated to background processing

Deployable via Docker

You don't need to mess with dependencies and configuration if you want to try Mastodon, if you have Docker and Docker Compose the deployment is extremely easy


Development

Please follow the development guide from the documentation repository.

Deployment

There are guides in the documentation repository for deploying on various platforms.

Contributing

You can open issues for bugs you've found or features you think are missing. You can also submit pull requests to this repository. Here are the guidelines for code contributions

IRC channel: #mastodon on irc.freenode.net

License

Copyright (C) 2016-2018 Eugen Rochko & other Mastodon contributors (see AUTHORS.md)

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License along with this program. If not, see https://www.gnu.org/licenses/.


Extra credits

The elephant friend illustrations are created by Dopatwo