v0.13.3 Spideriest Sloth 2: The re-slothening

Hi everyone! This here's a security + bugfix release for GoToSocial!

Similar to the v0.13.2 release, this one closes a couple gaps with regard to ensuring that models of remote Activities or Objects can't be modified by Actors who don't own the Activity or Object.

It also fixes a couple different bugs with regard to your instance trying to dereference accounts who've blocked you, or whose instances have blocked you, leading to less weird-looking behavior from the user's side :)

Based on the changes included, Bookwyrm federation should hopefully work a little better now as well, but we haven't tested this.

If you're running on v0.13.2 or below, you should update to this release as soon as you have the time. There are no database migrations or frontend file changes, so this should be fairly easy!

Thanks!

Migration notes

Upgrading

See the release notes for 0.13.0 but replace 0.13.0 with 0.13.3 throughout.

config.yaml

No changes since 0.13.2, see 0.13.0 for migration notes from versions < 0.13.0.

Database Migrations

No changes since 0.13.2, see 0.13.0 for migration notes from versions < 0.13.0.

Detailed Changelog

• fb3e3ca [chore] also allow text/xml in place of application/xml (#2640)
• b9013a8 [bugfix] add stricter checks during all stages of dereferencing remote AS objects (#2639)
• a3aa604 [bugfix] Don't return Account or Status if new and dereferencing failed, other small fixes (#2563)
• ad6f756 [bugfix] Don't return Internal Server Error when searching for URIs that don't return AP JSON (#2550)
• 1188971 [feature] Allow "charset=utf8" in incoming AP POST requests (#2564)
• 5d44ad7 [chore] chore rationalise http return codes for activitypub handlers (#2540)