Commit graph

5097 commits

Author SHA1 Message Date
Nicolas Werner
031a129591
Bump version to 0.10.2 2022-09-28 14:11:19 +02:00
Nicolas Werner
67bee15a38
Prevent the homeserver from inserting malicious secrets
Correctly verify that the reply to a secrets request is actually coming
from a verified device. While we did verify that it was us who replied,
we didn't properly cancel storing the secret if the sending device was
one of ours but was maliciously inserted by the homeserver and
unverified. We only send secret requests to verified devices in the
first place, so only the homeserver could abuse this issue.

Additionally we protected against malicious secret poisoning by
verifying that the secret is actually the reply to a request. This means
the server only has 2 places where it can poison the secrets:

- After a verification when we automatically request the secrets
- When the user manually hits the request button

It also needs to prevent other secret answers to reach the client first
since we ignore all replies after that one.

The impact of this might be quite severe. It could allow the server to
replace the cross-signing keys silently and while we might not trust
that key, we possibly could trust it in the future if we rely on the
stored secret. Similarly this could potentially be abused to make the
client trust a malicious online key backup.

If your deployment is not patched yet and you don't control your
homeserver, you can protect against this by simply not doing any
verifications of your own devices and not pressing the request button in
the settings menu.
2022-09-28 13:36:52 +02:00
Joseph Donofry
9010acd909
If and Else blocks were backwards 2022-09-28 12:05:41 +02:00
Joseph Donofry
e6bbe74abf
Make sure there are no spaces in the status string 2022-09-28 12:05:41 +02:00
Joseph Donofry
2a72488a32
Add some additional notarization logging 2022-09-28 12:05:41 +02:00
Joseph Donofry
700978c5ec
Accepted... not Approved 2022-09-28 12:05:41 +02:00
Joseph Donofry
d422e42054
apple's service cares about spaces 2022-09-28 12:05:40 +02:00
Joseph Donofry
975364a901
Update requestUUID source 2022-09-28 12:05:40 +02:00
Joseph Donofry
627f30da69
Use notarytool for notarization instead of altool 2022-09-28 12:05:40 +02:00
Joseph Donofry
64391efc3a
Remove expose_as for codesign job 2022-09-28 12:05:40 +02:00
Joseph Donofry
1f42e17a05
Add macos notarize logs as artifacts 2022-09-28 12:05:40 +02:00
Nicolas Werner
8985c2d1d4
Fix infinite loop that can be triggered by some invalid html 2022-09-28 12:03:04 +02:00
Nicolas Werner
051c25d5b8
Allow editing permissions in spaces recursively 2022-09-28 02:09:04 +02:00
Nicolas Werner
0752f9477e
Fix infinite loop that can be triggered by some invalid html 2022-09-27 22:02:41 +02:00
Joseph Donofry
d103f793bf
If and Else blocks were backwards 2022-09-25 19:16:23 -04:00
Joseph Donofry
d7fffa9f46 Make sure there are no spaces in the status string 2022-09-25 18:08:13 -04:00
Joseph Donofry
e5d0244ef9
Add some additional notarization logging 2022-09-25 18:03:56 -04:00
Nicolas Werner
851333a50d
Switch to clang-format14 2022-09-25 20:05:08 +02:00
Joseph Donofry
951d0f4d23
Accepted... not Approved 2022-09-24 22:46:53 -04:00
Joseph Donofry
7b0ef054d0
apple's service cares about spaces 2022-09-24 22:16:18 -04:00
Joseph Donofry
ae442f3b45
Update requestUUID source 2022-09-24 21:30:27 -04:00
Joseph Donofry
8ac87a5fbe
Use notarytool for notarization instead of altool 2022-09-24 20:57:26 -04:00
Joseph Donofry
cbdcde9572
Remove expose_as for codesign job 2022-09-24 17:46:49 -04:00
Joseph Donofry
3c21e09caf
Add macos notarize logs as artifacts 2022-09-24 17:43:06 -04:00
Nicolas Werner
79ce60382a
Fix crash when deleting room summary
Since this is used across different threads, we have to delete it on the
event loop.

Thank you, q234rty, for the help with debugging this.
2022-09-24 10:36:26 +02:00
Nicolas Werner
ce2d4defde
Try to handle rate limiting 2022-09-23 15:47:25 +02:00
Nicolas Werner
683fd75700
More granular automoc 2022-09-23 15:47:25 +02:00
Weblate
3b99e3826e Translated using Weblate (Russian)
Currently translated at 31.9% (265 of 830 strings)

Translated using Weblate (Russian)

Currently translated at 31.9% (265 of 830 strings)

Translated using Weblate (Russian)

Currently translated at 31.9% (265 of 830 strings)

Co-authored-by: Artem <ego.cordatus@gmail.com>
Co-authored-by: Mihail Iosilevich <mihail.iosilevitch@yandex.ru>
Co-authored-by: SOT-TECH <sblazhko@sot-te.ch>
Translate-URL: https://weblate.nheko.im/projects/nheko/nheko-master/ru/
Translation: Nheko/nheko
2022-09-23 09:05:09 -04:00
Weblate
aad97cffef Translated using Weblate (Russian)
Currently translated at 31.5% (262 of 830 strings)

Co-authored-by: SOT-TECH <sblazhko@sot-te.ch>
Translate-URL: https://weblate.nheko.im/projects/nheko/nheko-master/ru/
Translation: Nheko/nheko
2022-09-22 16:09:04 -04:00
Nicolas Werner
ed15d73d36
Allow adding non-existing userids to power levels 2022-09-22 21:24:41 +02:00
Nicolas Werner
33d45d5765
Upgrade build images 2022-09-22 20:18:08 +02:00
Nicolas Werner
a8e35e5623
Set macos deployment target explicitly 2022-09-22 20:18:08 +02:00
Nicolas Werner
efb9970178
Switch to C++20 2022-09-22 20:18:04 +02:00
Weblate
7efb4a22c7 Translated using Weblate (Russian)
Currently translated at 31.5% (262 of 830 strings)

Co-authored-by: SOT-TECH <sblazhko@sot-te.ch>
Translate-URL: https://weblate.nheko.im/projects/nheko/nheko-master/ru/
Translation: Nheko/nheko
2022-09-22 10:00:56 -04:00
DeepBlueV7.X
ed880248c8
Merge pull request #1190 from Bubu/patch-3
Readme: fix steam deck instructions
2022-09-22 12:46:40 +00:00
Weblate
a079e370ff Translated using Weblate (Russian)
Currently translated at 31.5% (262 of 830 strings)

Translated using Weblate (Russian)

Currently translated at 31.5% (262 of 830 strings)

Translated using Weblate (Russian)

Currently translated at 31.5% (262 of 830 strings)

Co-authored-by: Herecore <herecore@protonmail.com>
Co-authored-by: Mihail Iosilevich <mihail.iosilevitch@yandex.ru>
Co-authored-by: SOT-TECH <sblazhko@sot-te.ch>
Translate-URL: https://weblate.nheko.im/projects/nheko/nheko-master/ru/
Translation: Nheko/nheko
2022-09-22 08:02:06 -04:00
Weblate
c4cb0b2c86 Translated using Weblate (Russian)
Currently translated at 31.0% (258 of 830 strings)

Translated using Weblate (Russian)

Currently translated at 31.0% (258 of 830 strings)

Translated using Weblate (Russian)

Currently translated at 31.0% (258 of 830 strings)

Co-authored-by: Alexey Murz Korepov <murznn@gmail.com>
Co-authored-by: SOT-TECH <sblazhko@sot-te.ch>
Co-authored-by: Weblate <noreply@weblate.org>
Co-authored-by: glebasson <glebasson@yandex.ru>
Translate-URL: https://weblate.nheko.im/projects/nheko/nheko-master/ru/
Translation: Nheko/nheko
2022-09-22 03:55:19 -04:00
Weblate
7562b03b8e Translated using Weblate (Estonian)
Currently translated at 99.7% (828 of 830 strings)

Co-authored-by: Priit Jõerüüt <nhkwlate@joeruut.com>
Translate-URL: https://weblate.nheko.im/projects/nheko/nheko-master/et/
Translation: Nheko/nheko
2022-09-21 05:00:54 -04:00
Nicolas Werner
b629455fab
Rename groups 2022-09-21 00:03:25 +02:00
Nicolas Werner
421b15c05c
Show the community of a room 2022-09-20 21:26:46 +02:00
Marcus
56d2a0d39d
Readme: fix steam deck instructions
Turns out that setting the desktop env isn't enough we also need to 
manually ensure kwalletd is started. As we can't tell steam to run 
multiple commands, people will need a small wrapper script that 
does this.
2022-09-20 18:44:53 +02:00
DeepBlueV7.X
7088c9bd9b
Merge pull request #1189 from Bubu/patch-1
Readme: add Steam Deck instructions
2022-09-20 10:55:02 +00:00
Marcus
e46fd37dec
Readme: add Steam Deck instructions 2022-09-20 12:52:12 +02:00
Nicolas Werner
fc0baa86b0
Fix const iteration 2022-09-19 21:57:25 +02:00
Nicolas Werner
fe403ddc70
Rework how access rules for rooms are modified completely 2022-09-19 21:39:37 +02:00
Jason Volk
603b90a6f5
Fix copypasto in cmake bundle option descriptions. 2022-09-17 18:14:48 +02:00
DeepBlueV7.X
ef2ec6d3e7
Merge pull request #1186 from q234rty/patch-1
Fix "Send by enter" on Windows
2022-09-16 16:43:49 +00:00
q234rty
15b9dbe98d
Fix "Send by enter" on Windows
Apparently on windows `Qt.inputMethod.visible` is always true when an input method is installed. Also on windows even after removing the check enter is still consumed by the input method, not nheko.
2022-09-16 22:41:11 +08:00
Nicolas Werner
cd08a130c6
Make emoji escaping less aggressive 2022-09-16 15:17:48 +02:00
DeepBlueV7.X
0ebd0b0526
Merge pull request #1185 from spaetz/patch-1
Update nheko_de.ts: typo "Animiete"
2022-09-15 10:33:48 +00:00