An critical security vulnerability has been found on the unreleased master version of Mastodon. If your instance is running code from the tag
v2.3.3 or older, it is not affected. If you are running a newer version that includes commit ca42f9b, it’s urgent that you upgrade and change your passwords stored in
See https://github.com/tootsuite/mastodon/releases/tag/v2.4.0rc3 for more details.
The Free Radical Ansible
repo commit 5d91a34 now supports both pre-Mastodon 2.1 and Mastodon 2.1+ S3 media URLs in CSP headers.
[Error] Refused to load https://s3-us-west-2.amazonaws.com/freeradical-system/accounts/avatars/000/014/309/static/91f9782fad3f6284.png because it does not appear in the img-src directive of the Content Security Policy.
Turns out that some time between the releases of v2.0.0 and v2.1.0, the Mastodon switched from generating S3 URLs like:
Because I’d jumped through the hoops of setting up a Content-Security-Policy header, Safari wasn’t allowing those images to render. I had to change my CSP header in Nginx from:
add_header Content-Security-Policy "default-src 'self'; img-src 'self' https://freeradical-system.s3-us-west-2.amazonaws.com/ data:; style-src 'self' 'unsafe-inline'; connect-src 'self' wss://freeradical.zone/; media-src 'self' https://freeradical-system.s3-us-west-2.amazonaws.com/";
add_header Content-Security-Policy "default-src 'self'; img-src 'self' https://freeradical-system.s3-us-west-2.amazonaws.com/ https://s3-us-west-2.amazonaws.com/freeradical-system/ data:; style-src 'self' 'unsafe-inline'; connect-src 'self' wss://freeradical.zone/; media-src 'self' https://freeradical-system.s3-us-west-2.amazonaws.com/ https://s3-us-west-2.amazonaws.com/freeradical-system/";
so that both the old and new S3 URLs are permitted.
The Free Radical Ansible repo commit 76a0107 fixes two problems:
- Docker uses aufs instead of overlayfs because overlayfs is ridiculously slow during an important container startup step
- Sets the root directory for HTTP connections so that
certbot renew cron jobs complete successfully
If you’re using Mastodon on an iPhone, you’re probably using the excellent Amaroq client. For some very good reasons, it doesn’t have a built-in feature to translate toots into your own language. That’s OK, though. We can implement that ourselves!
This will walk you through the process of installing Workflow on your iPhone, then configuring Amaroq to use it to translate toots from your timeline. There are a lot of steps here, but most of them are for the one-time setup. Don’t worry: you won’t have to do all of these every time you want to read something written in French. Continue reading Translating toots with Workflow
Free Radical is running on a Digital Ocean VPS. Instead of deploying it manually, I turned the process into a couple of Ansible playbooks1 that do the right things quickly and repeatably.
I describe what it does in the README, but that’s just a feature checklist. So why would I go through the effort? There are several reasons:
Continue reading Why I’ve automated deployments
This morning, I moved all of the user-generated content on Free Radical from local storage to S3. It was completely painless and Just Worked – yay! There are a few reasons why this can be a great idea: Continue reading Migrating media to S3