8 files changed, 51 insertions, 33 deletions
diff --git a/lib/pleroma/plugs/parsers_plug.ex b/lib/pleroma/plugs/parsers_plug.ex
deleted file mode 100644
index 2e493ce0e..000000000
--- a/lib/pleroma/plugs/parsers_plug.ex
+++ /dev/null
@@ -1,21 +0,0 @@
-# Pleroma: A lightweight social networking server
-# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
-# SPDX-License-Identifier: AGPL-3.0-only
-
-defmodule Pleroma.Plugs.Parsers do
-  @moduledoc "Initializes Plug.Parsers with upload limit set at boot time"
-
-  @behaviour Plug
-
-  def init(_opts) do
-    Plug.Parsers.init(
-      parsers: [:urlencoded, :multipart, :json],
-      pass: ["*/*"],
-      json_decoder: Jason,
-      length: Pleroma.Config.get([:instance, :upload_limit]),
-      body_reader: {Pleroma.Web.Plugs.DigestPlug, :read_body, []}
-    )
-  end
-
-  defdelegate call(conn, opts), to: Plug.Parsers
-end
diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex
index f5d3245dc..1f5a47e05 100644
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@@ -177,11 +177,25 @@ defmodule Pleroma.User do
     |> Repo.aggregate(:count, :id)
   end
 
+  defp truncate_if_exists(params, key, max_length) do
+    if Map.has_key?(params, key) and is_binary(params[key]) do
+      {value, _chopped} = String.split_at(params[key], max_length)
+      Map.put(params, key, value)
+    else
+      params
+    end
+  end
+
   def remote_user_creation(params) do
     bio_limit = Pleroma.Config.get([:instance, :user_bio_length], 5000)
     name_limit = Pleroma.Config.get([:instance, :user_name_length], 100)
 
-    params = Map.put(params, :info, params[:info] || %{})
+    params =
+      params
+      |> Map.put(:info, params[:info] || %{})
+      |> truncate_if_exists(:name, name_limit)
+      |> truncate_if_exists(:bio, bio_limit)
+
     info_cng = User.Info.remote_user_creation(%User.Info{}, params[:info])
 
     changes =
diff --git a/lib/pleroma/user/info.ex b/lib/pleroma/user/info.ex
index 779bfbc18..151e025de 100644
--- a/lib/pleroma/user/info.ex
+++ b/lib/pleroma/user/info.ex
@@ -242,6 +242,13 @@ defmodule Pleroma.User.Info do
   end
 
   def remote_user_creation(info, params) do
+    params =
+      if Map.has_key?(params, :fields) do
+        Map.put(params, :fields, Enum.map(params[:fields], &truncate_field/1))
+      else
+        params
+      end
+
     info
     |> cast(params, [
       :ap_enabled,
@@ -326,6 +333,16 @@ defmodule Pleroma.User.Info do
 
   defp valid_field?(_), do: false
 
+  defp truncate_field(%{"name" => name, "value" => value}) do
+    {name, _chopped} =
+      String.split_at(name, Pleroma.Config.get([:instance, :account_field_name_length], 255))
+
+    {value, _chopped} =
+      String.split_at(value, Pleroma.Config.get([:instance, :account_field_value_length], 255))
+
+    %{"name" => name, "value" => value}
+  end
+
   @spec confirmation_changeset(Info.t(), keyword()) :: Changeset.t()
   def confirmation_changeset(info, opts) do
     need_confirmation? = Keyword.get(opts, :need_confirmation)
diff --git a/lib/pleroma/web/activity_pub/transmogrifier.ex b/lib/pleroma/web/activity_pub/transmogrifier.ex
index 1c67fee2e..e925aae2f 100644
--- a/lib/pleroma/web/activity_pub/transmogrifier.ex
+++ b/lib/pleroma/web/activity_pub/transmogrifier.ex
@@ -416,7 +416,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
   def handle_incoming(%{"id" => nil}, _options), do: :error
   def handle_incoming(%{"id" => ""}, _options), do: :error
   # length of https:// = 8, should validate better, but good enough for now.
-  def handle_incoming(%{"id" => id}, _options) when not (is_binary(id) and length(id) > 8),
+  def handle_incoming(%{"id" => id}, _options) when is_binary(id) and byte_size(id) < 8,
     do: :error
 
   # TODO: validate those with a Ecto scheme
diff --git a/lib/pleroma/web/common_api/common_api.ex b/lib/pleroma/web/common_api/common_api.ex
index 184ec6021..01ed7b16f 100644
--- a/lib/pleroma/web/common_api/common_api.ex
+++ b/lib/pleroma/web/common_api/common_api.ex
@@ -328,15 +328,10 @@ defmodule Pleroma.Web.CommonAPI do
   def pin(id_or_ap_id, %{ap_id: user_ap_id} = user) do
     with %Activity{
            actor: ^user_ap_id,
-           data: %{
-             "type" => "Create"
-           },
-           object: %Object{
-             data: %{
-               "type" => "Note"
-             }
-           }
+           data: %{"type" => "Create"},
+           object: %Object{data: %{"type" => object_type}}
          } = activity <- get_by_id_or_ap_id(id_or_ap_id),
+         true <- object_type in ["Note", "Article", "Question"],
          true <- Visibility.is_public?(activity),
          %{valid?: true} = info_changeset <- User.Info.add_pinnned_activity(user.info, activity),
          changeset <-
diff --git a/lib/pleroma/web/endpoint.ex b/lib/pleroma/web/endpoint.ex
index f0abc8eb8..51c8401ae 100644
--- a/lib/pleroma/web/endpoint.ex
+++ b/lib/pleroma/web/endpoint.ex
@@ -61,7 +61,17 @@ defmodule Pleroma.Web.Endpoint do
   plug(Plug.RequestId)
   plug(Plug.Logger)
 
-  plug(Pleroma.Plugs.Parsers)
+  plug(Plug.Parsers,
+    parsers: [
+      :urlencoded,
+      {:multipart, length: {Pleroma.Config, :get, [[:instance, :upload_limit]]}},
+      :json
+    ],
+    pass: ["*/*"],
+    json_decoder: Jason,
+    length: Pleroma.Config.get([:instance, :upload_limit]),
+    body_reader: {Pleroma.Web.Plugs.DigestPlug, :read_body, []}
+  )
 
   plug(Plug.MethodOverride)
   plug(Plug.Head)
diff --git a/lib/pleroma/web/metadata/utils.ex b/lib/pleroma/web/metadata/utils.ex
index 720bd4519..e1ad402bc 100644
--- a/lib/pleroma/web/metadata/utils.ex
+++ b/lib/pleroma/web/metadata/utils.ex
@@ -14,6 +14,7 @@ defmodule Pleroma.Web.Metadata.Utils do
     |> String.replace(~r/<br\s?\/?>/, " ")
     |> HTML.get_cached_stripped_html_for_activity(object, "metadata")
     |> Formatter.demojify()
+    |> HtmlEntities.decode()
     |> Formatter.truncate()
   end
 
@@ -24,6 +25,7 @@ defmodule Pleroma.Web.Metadata.Utils do
     |> String.replace(~r/<br\s?\/?>/, " ")
     |> HTML.strip_tags()
     |> Formatter.demojify()
+    |> HtmlEntities.decode()
     |> Formatter.truncate(max_length)
   end
 
diff --git a/lib/pleroma/web/streamer/worker.ex b/lib/pleroma/web/streamer/worker.ex
index da7a5a6f2..1e7da4852 100644
--- a/lib/pleroma/web/streamer/worker.ex
+++ b/lib/pleroma/web/streamer/worker.ex
@@ -137,8 +137,9 @@ defmodule Pleroma.Web.Streamer.Worker do
     domain_blocks = Pleroma.Web.ActivityPub.MRF.subdomains_regex(user.info.domain_blocks)
 
     with parent <- Object.normalize(item) || item,
-         true <- Enum.all?([blocks, mutes, reblog_mutes], &(item.actor not in &1)),
+         true <- Enum.all?([blocks, mutes], &(item.actor not in &1)),
          true <- Enum.all?([blocks, mutes], &(parent.data["actor"] not in &1)),
+         true <- item.data["type"] != "Announce" || item.actor not in reblog_mutes,
          true <- MapSet.disjoint?(recipients, recipient_blocks),
          %{host: item_host} <- URI.parse(item.actor),
          %{host: parent_host} <- URI.parse(parent.data["actor"]),