Urgent for admins: critical vulnerability in recent code

An critical security vulnerability has been found on the unreleased master version of Mastodon. If your instance is running code from the tag v2.3.3 or older, it is not affected. If you are running a newer version that includes commit ca42f9b, it’s urgent that you upgrade and change your passwords stored in .env.production immediately!

See https://github.com/tootsuite/mastodon/releases/tag/v2.4.0rc3 for more details.

S3 URLs have changed; update your Content-Security-Policy

I’m serving Free Radical’s images etc. from S3. When I updated to Mastodon v2.1.0, I noticed that all the page’s images were missing. Safari’s Show JavaScript Console menu revealed a lot of errors like:

[Error] Refused to load https://s3-us-west-2.amazonaws.com/freeradical-system/accounts/avatars/000/014/309/static/91f9782fad3f6284.png because it does not appear in the img-src directive of the Content Security Policy.

Turns out that some time between the releases of v2.0.0 and v2.1.0, the Mastodon switched from generating S3 URLs like:

https://freeradical-system.s3-us-west-2.amazonaws.com/...

to

https://s3-us-west-2.amazonaws.com/freeradical-system/...

Because I’d jumped through the hoops of setting up a Content-Security-Policy header, Safari wasn’t allowing those images to render. I had to change my CSP header in Nginx from:

add_header Content-Security-Policy "default-src 'self'; img-src 'self' https://freeradical-system.s3-us-west-2.amazonaws.com/ data:; style-src 'self' 'unsafe-inline'; connect-src 'self' wss://freeradical.zone/; media-src 'self' https://freeradical-system.s3-us-west-2.amazonaws.com/";

to

add_header Content-Security-Policy "default-src 'self'; img-src 'self' https://freeradical-system.s3-us-west-2.amazonaws.com/ https://s3-us-west-2.amazonaws.com/freeradical-system/ data:; style-src 'self' 'unsafe-inline'; connect-src 'self' wss://freeradical.zone/; media-src 'self' https://freeradical-system.s3-us-west-2.amazonaws.com/ https://s3-us-west-2.amazonaws.com/freeradical-system/";

so that both the old and new S3 URLs are permitted.

Translating toots with Workflow

If you’re using Mastodon on an iPhone, you’re probably using the excellent Amaroq client. For some very good reasons, it doesn’t have a built-in feature to translate toots into your own language. That’s OK, though. We can implement that ourselves!

This will walk you through the process of installing Workflow on your iPhone, then configuring Amaroq to use it to translate toots from your timeline. There are a lot of steps here, but most of them are for the one-time setup. Don’t worry: you won’t have to do all of these every time you want to read something written in French. Continue reading Translating toots with Workflow

Why I’ve automated deployments

Free Radical is running on a Digital Ocean VPS. Instead of deploying it manually, I turned the process into a couple of Ansible playbooks1 that do the right things quickly and repeatably.

I describe what it does in the README, but that’s just a feature checklist. So why would I go through the effort? There are several reasons:

Continue reading Why I’ve automated deployments