From 69378eac99c013a0db7d2d5ff9a54dfcc287d9ce Mon Sep 17 00:00:00 2001
From: David Leadbeater <dgl@dgl.cx>
Date: Mon, 21 Nov 2022 05:28:13 +1100
Subject: [PATCH 1/3] Don't allow URLs that contain non-normalized paths to be
 verified (#20999)

* Don't allow URLs that contain non-normalized paths to be verified

This stops things like https://example.com/otheruser/../realuser where
"/otheruser" appears to be the verified URL, but the actual URL being
verified is "/realuser" due to the "/../".

Also fix a test to use 'https', so it is testing the right thing, now
that since #20304 https is required.

* missing do
---
 app/models/account/field.rb       |  3 ++-
 spec/models/account/field_spec.rb | 10 +++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/app/models/account/field.rb b/app/models/account/field.rb
index ffc8dce80b..4db4cac301 100644
--- a/app/models/account/field.rb
+++ b/app/models/account/field.rb
@@ -46,7 +46,8 @@ class Account::Field < ActiveModelSerializers::Model
       parsed_url.user.nil? &&
       parsed_url.password.nil? &&
       parsed_url.host.present? &&
-      parsed_url.normalized_host == parsed_url.host
+      parsed_url.normalized_host == parsed_url.host &&
+      (parsed_url.path.empty? || parsed_url.path == parsed_url.normalized_path)
   rescue Addressable::URI::InvalidURIError, IDN::Idna::IdnaError
     false
   end
diff --git a/spec/models/account/field_spec.rb b/spec/models/account/field_spec.rb
index b4beec0483..0ac9769bcc 100644
--- a/spec/models/account/field_spec.rb
+++ b/spec/models/account/field_spec.rb
@@ -67,7 +67,15 @@ RSpec.describe Account::Field, type: :model do
       end
 
       context 'for an IDN URL' do
-        let(:value) { 'http://twitter.com∕dougallj∕status∕1590357240443437057.ê.cc/twitter.html' }
+        let(:value) { 'https://twitter.com∕dougallj∕status∕1590357240443437057.ê.cc/twitter.html' }
+
+        it 'returns false' do
+          expect(subject.verifiable?).to be false
+        end
+      end
+
+      context 'for a URL with a non-normalized path' do
+        let(:value) { 'https://github.com/octocatxxxxxxxx/../mastodon' }
 
         it 'returns false' do
           expect(subject.verifiable?).to be false

From 51a33ce77a32b85eaff37670c40a497aaef13e18 Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Mon, 21 Nov 2022 10:35:09 +0100
Subject: [PATCH 2/3] Fix not being able to follow more than one hashtag
 (#21285)

Fixes regression from #20860
---
 app/controllers/api/v1/tags_controller.rb       | 2 +-
 spec/controllers/api/v1/tags_controller_spec.rb | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/controllers/api/v1/tags_controller.rb b/app/controllers/api/v1/tags_controller.rb
index 0966ee4699..272362c314 100644
--- a/app/controllers/api/v1/tags_controller.rb
+++ b/app/controllers/api/v1/tags_controller.rb
@@ -12,7 +12,7 @@ class Api::V1::TagsController < Api::BaseController
   end
 
   def follow
-    TagFollow.first_or_create!(tag: @tag, account: current_account, rate_limit: true)
+    TagFollow.create_with(rate_limit: true).find_or_create_by!(tag: @tag, account: current_account)
     render json: @tag, serializer: REST::TagSerializer
   end
 
diff --git a/spec/controllers/api/v1/tags_controller_spec.rb b/spec/controllers/api/v1/tags_controller_spec.rb
index ac42660dfa..216faad872 100644
--- a/spec/controllers/api/v1/tags_controller_spec.rb
+++ b/spec/controllers/api/v1/tags_controller_spec.rb
@@ -33,7 +33,11 @@ RSpec.describe Api::V1::TagsController, type: :controller do
   end
 
   describe 'POST #follow' do
+    let!(:unrelated_tag) { Fabricate(:tag) }
+
     before do
+      TagFollow.create!(account: user.account, tag: unrelated_tag)
+
       post :follow, params: { id: name }
     end
 

From f343ed42ff1d288989f3a577362cc672e4cae437 Mon Sep 17 00:00:00 2001
From: BtbN <btbn@btbn.de>
Date: Tue, 22 Nov 2022 05:52:18 +0100
Subject: [PATCH 3/3] Add missing procps package to Dockerfile (#21028)

The new Debian-Base does not come with this by default, making the ps based health-check in the compose file fail
---
 Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile b/Dockerfile
index 081981d467..69153c0300 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -56,6 +56,7 @@ RUN apt-get update && \
     useradd -u "$UID" -g "${GID}" -m -d /opt/mastodon mastodon && \
     apt-get -y --no-install-recommends install whois \
         wget \
+        procps \
         libssl1.1 \
         libpq5 \
         imagemagick \