Commit graph

4600 commits

Author SHA1 Message Date
Nicolas Werner
67bee15a38
Prevent the homeserver from inserting malicious secrets
Correctly verify that the reply to a secrets request is actually coming
from a verified device. While we did verify that it was us who replied,
we didn't properly cancel storing the secret if the sending device was
one of ours but was maliciously inserted by the homeserver and
unverified. We only send secret requests to verified devices in the
first place, so only the homeserver could abuse this issue.

Additionally we protected against malicious secret poisoning by
verifying that the secret is actually the reply to a request. This means
the server only has 2 places where it can poison the secrets:

- After a verification when we automatically request the secrets
- When the user manually hits the request button

It also needs to prevent other secret answers to reach the client first
since we ignore all replies after that one.

The impact of this might be quite severe. It could allow the server to
replace the cross-signing keys silently and while we might not trust
that key, we possibly could trust it in the future if we rely on the
stored secret. Similarly this could potentially be abused to make the
client trust a malicious online key backup.

If your deployment is not patched yet and you don't control your
homeserver, you can protect against this by simply not doing any
verifications of your own devices and not pressing the request button in
the settings menu.
2022-09-28 13:36:52 +02:00
Joseph Donofry
9010acd909
If and Else blocks were backwards 2022-09-28 12:05:41 +02:00
Joseph Donofry
e6bbe74abf
Make sure there are no spaces in the status string 2022-09-28 12:05:41 +02:00
Joseph Donofry
2a72488a32
Add some additional notarization logging 2022-09-28 12:05:41 +02:00
Joseph Donofry
700978c5ec
Accepted... not Approved 2022-09-28 12:05:41 +02:00
Joseph Donofry
d422e42054
apple's service cares about spaces 2022-09-28 12:05:40 +02:00
Joseph Donofry
975364a901
Update requestUUID source 2022-09-28 12:05:40 +02:00
Joseph Donofry
627f30da69
Use notarytool for notarization instead of altool 2022-09-28 12:05:40 +02:00
Joseph Donofry
64391efc3a
Remove expose_as for codesign job 2022-09-28 12:05:40 +02:00
Joseph Donofry
1f42e17a05
Add macos notarize logs as artifacts 2022-09-28 12:05:40 +02:00
Nicolas Werner
8985c2d1d4
Fix infinite loop that can be triggered by some invalid html 2022-09-28 12:03:04 +02:00
Nicolas Werner
9b751fe6d8
Bump mtxclient to released version 2022-09-09 19:13:55 +02:00
Nicolas Werner
8bec1f1934
Fix crash when joining a room with preview 2022-09-09 18:26:32 +02:00
Nicolas Werner
143d7c9b6a
Bump version 2022-09-07 21:30:19 +02:00
Weblate
7eff5b63fe Translated using Weblate (Indonesian)
Currently translated at 100.0% (830 of 830 strings)

Co-authored-by: Linerly <linerly@protonmail.com>
Translate-URL: https://weblate.nheko.im/projects/nheko/nheko-master/id/
Translation: Nheko/nheko
2022-09-07 15:15:43 -04:00
Nicolas Werner
c61c35796b
Update changelog 2022-09-07 17:08:42 +02:00
Weblate
7630b60a6a Translated using Weblate (Polish)
Currently translated at 100.0% (830 of 830 strings)

Co-authored-by: Przemysław Romanik <github@rom4nik.pl>
Translate-URL: https://weblate.nheko.im/projects/nheko/nheko-master/pl/
Translation: Nheko/nheko
2022-09-07 10:41:57 -04:00
Weblate
6d9f7bc5a4 Translated using Weblate (Dutch)
Currently translated at 100.0% (830 of 830 strings)

Co-authored-by: Jaron Viëtor <jaron@v8or.nl>
Translate-URL: https://weblate.nheko.im/projects/nheko/nheko-master/nl/
Translation: Nheko/nheko
2022-09-07 10:41:57 -04:00
Weblate
bc25bc8c3d Translated using Weblate (Finnish)
Currently translated at 100.0% (830 of 830 strings)

Co-authored-by: Lurkki14 <jussi.kuokkanen@protonmail.com>
Translate-URL: https://weblate.nheko.im/projects/nheko/nheko-master/fi/
Translation: Nheko/nheko
2022-09-07 10:41:56 -04:00
Weblate
36d045a0f0 Translated using Weblate (Polish)
Currently translated at 100.0% (807 of 807 strings)

Co-authored-by: Przemysław Romanik <github@rom4nik.pl>
Translate-URL: https://weblate.nheko.im/projects/nheko/nheko-master/pl/
Translation: Nheko/nheko
2022-09-07 04:43:03 -04:00
Nicolas Werner
84831e91df
Update translations 2022-09-07 10:40:43 +02:00
Nicolas Werner
8527ae78d5
Bump mtxclient 2022-09-07 10:09:48 +02:00
Nicolas Werner
e67fd45a28
Update gstreamer 2022-09-06 22:56:03 +02:00
Nicolas Werner
a014b2f8d6
Fix crash on empty private read receipts being received
fixes #1180
2022-09-06 20:25:52 +02:00
Nicolas Werner
1d7575036e
Allow creating spaces 2022-09-05 02:00:20 +02:00
Nicolas Werner
c6bf1e6508
Attribute values can contain slashes 2022-09-04 18:14:14 +02:00
Nicolas Werner
e144c5741f
Implement space stickers & emoji 2022-09-01 13:25:11 +02:00
Nicolas Werner
01fd5e6b61
Unset the transient parent on separate chat windows
relates to #1168
2022-08-31 20:44:21 +02:00
Nicolas Werner
130e1b43fb
Fix empty widgets still being shown 2022-08-30 22:05:33 +02:00
Nicolas Werner
57f505c486
Fix invalid userids on profile requests 2022-08-30 15:40:33 +02:00
Nicolas Werner
47189240a2
Don't trust synapse
fixes #1172
2022-08-27 18:44:28 +02:00
DeepBlueV7.X
27401f6416
Merge pull request #1166 from foresto/clang-format-11-compat
Restore compatibility with clang-format v11
2022-08-25 13:21:32 +00:00
Forest
c66d7dede8 Revert "Specify every linter option"
This reverts commit e6b6a76437,
because it broke compatibility with clang-format 11 (which is current
on some linux distros) and because it didn't achieve its original
goal. See PR #1166 for discussion.
2022-08-24 18:49:06 -07:00
DeepBlueV7.X
82319b87a8
Merge pull request #1165 from ChungZH/patch-1
Fix the position of version
2022-08-24 22:02:21 +00:00
Zirnc
91b1d30ef0
Fix the position of version 2022-08-24 11:05:31 +08:00
DeepBlueV7.X
2e5e157db6
Merge pull request #1162 from Hiers/discrete-roomprofile-edit
Added discrete edit button to room profiles.
2022-08-21 23:12:15 +00:00
Hiers
b94689c4d1 Added discrete edit button to room profiles. 2022-08-22 00:01:20 +01:00
DeepBlueV7.X
63339ad632
Merge pull request #1156 from foresto/patch-1
Focus message input box when pressing Esc
2022-08-20 21:50:55 +00:00
DeepBlueV7.X
3b0b8605a8
Merge pull request #1160 from foresto/reaction-colors
Reactions: avoid highlight color misuse, subdue bright border color
2022-08-20 21:49:57 +00:00
Nicolas Werner
732b82c04d
Allow summary tag 2022-08-20 23:45:38 +02:00
Forest
f66ed4bea5 Reactions: avoid highlight color misuse, subdue border color
This addresses a few problems with reaction colors:

- The state-checking conditionals for reaction text, background, and border
  were inconsistent, making it difficult to choose colors for each state
  (normal, hovered, and self reactions) that worked well in all themes.
- The QPalette::Highlight color was being misused as a text/foreground color.
  This color role is intended for background areas.  It has little contrast
  against the background in themes like KDE Plasma's Breeze High Contrast,
  so using it for text and icons makes those things difficult to read.
  https://doc.qt.io/qt-5/qpalette.html#ColorRole-enum
- The reaction border was drawn in the same color as normal text, making it
  so bright in some dark themes that it distracted from reading nearby text.

Fixes Nheko-Reborn/nheko#1159
2022-08-19 21:14:58 -07:00
Forest
4d1a01c829
Focus message input box when pressing Esc
This helps with #1065, although I think making sure the message input box gets focus by default would be worthwhile.
2022-08-19 07:41:22 +00:00
Nicolas Werner
ff87bef030
Fix inline image escape order 2022-08-18 22:05:47 +02:00
Nicolas Werner
08b304eccf
Break http images and implement barebones spoiler support when not in mobile mode
see #1042
see #483
2022-08-17 01:35:40 +02:00
DeepBlueV7.X
0e4932d973
Merge pull request #1155 from foresto/grammar-apostrophe
Grammar fix:  Group's sidebar -> Groups sidebar
2022-08-16 19:26:33 +00:00
Forest
a4bd65ee1e Grammar fix: Group's sidebar -> Groups sidebar 2022-08-15 21:49:57 -07:00
Nicolas Werner
e8d5829c1f
Reduce memory usage when compiling slightly 2022-08-15 20:03:45 +02:00
Nicolas Werner
b51ad45dc2
Make member search case insensitive 2022-08-13 18:13:42 +02:00
Nicolas Werner
1cfbac4c92
Fix crash when device has no keys to verify 2022-08-13 18:01:16 +02:00
Nicolas Werner
242b7d5506
Fix crash when fetching global profile 2022-08-13 16:28:41 +02:00