[dreamwidth/dreamwidth] a182d9: Rate Limiting (#3490)

[github]

Branch: refs/heads/main Home: https://github.com/dreamwidth/dreamwidth Commit: a182d9895fbc8e9709c71c4e4361f1ba83afec23 https://github.com/dreamwidth/dreamwidth/commit/a182d9895fbc8e9709c71c4e4361f1ba83afec23 Author: Mark Smith mark@dreamwidth.org Date: 2026-02-12 (Thu, 12 Feb 2026)

Changed paths: M .github/workflows/ci.yml M app.psgi M cgi-bin/Apache/LiveJournal.pm A cgi-bin/DW/API/RateLimit.pm M cgi-bin/DW/Controller/API/REST.pm M cgi-bin/DW/Controller/API/REST/Journals.pm A cgi-bin/DW/RateLimit.pm M cgi-bin/LJ/Console/Command/Suspend.pm M cgi-bin/LJ/Test.pm A cgi-bin/Plack/Middleware/DW/RateLimit.pm M doc/dependencies-cpanm M doc/raw/memcache-keys.txt M etc/config.pl.example A t/rate-limit.t

Log Message:

---

Rate Limiting (#3490)

• Add basic rate limiting module

• Add configuration overrides

This enables rate limits to be overridden.

• Add API rate limit basics

• Update Apache rate limiting to use new DW::RateLimit API

Move rate limiting after start_request() so get_remote() works, switch to rate-string API and check() method. Also restore approvenew setting lost during rebase.

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

• Add Plack rate limiting middleware

Port rate limiting from Apache::LiveJournal to a Plack middleware so it works under Starman. Same rates: 100/60s authenticated, 30/60s anonymous. Wired in after DW::Sysban in app.psgi.

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

• Fix tidy formatting in rate limiting code

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

• Add rate limit tests to CI workflow

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

• Add CPAN dependency install step to CI workflow

The devcontainer image bakes dependencies at build time, so new deps added in a PR aren't available until the image rebuilds. Running cpm install from the checked-out dependencies-cpanm ensures CI always has the right modules for the code under test.

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

[dreamwidth/dreamwidth] b8e245: Add South Carolina to under-18 signup restriction

[github]

Branch: refs/heads/main Home: https://github.com/dreamwidth/dreamwidth Commit: b8e245b8b1d1f0aba6ec605a73a0e1dfc2227833 https://github.com/dreamwidth/dreamwidth/commit/b8e245b8b1d1f0aba6ec605a73a0e1dfc2227833 Author: Mark Smith mark@dreamwidth.org Date: 2026-02-12 (Thu, 12 Feb 2026)

Changed paths: M bin/upgrading/en.dat M views/create/account.tt.text

Log Message:

---

Add South Carolina to under-18 signup restriction

SC passed a law requiring parental monitoring for under-18 users. Update signup strings to include SC alongside TN.

Closes #3513

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

To unsubscribe from these emails, change your notification settings at https://github.com/dreamwidth/dreamwidth/settings/notifications

[dreamwidth/dreamwidth] 8dbf8e: Fix undef error viewing cart in admin pay view

[github]

Branch: refs/heads/main Home: https://github.com/dreamwidth/dreamwidth Commit: 8dbf8e57d9d5450a9f7ea6866e3d65892b6ab25a https://github.com/dreamwidth/dreamwidth/commit/8dbf8e57d9d5450a9f7ea6866e3d65892b6ab25a Author: Mark Smith mark@dreamwidth.org Date: 2026-02-12 (Thu, 12 Feb 2026)

Changed paths: M cgi-bin/LJ/Widget/ShopCart.pm

Log Message:

---

Fix undef error viewing cart in admin pay view

The admin_col and is_random closures in ShopCart.pm used $_ to access the cart item, but Template Toolkit passes arguments via @, not $. This caused admin_col to crash with "Can't call method 'id' on an undefined value" and is_random to silently always return 'N'.

Closes #3509

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

To unsubscribe from these emails, change your notification settings at https://github.com/dreamwidth/dreamwidth/settings/notifications

[dreamwidth/dreamwidth] 094b2b: Make private message links respect remote's beta i...

[github]

Branch: refs/heads/main Home: https://github.com/dreamwidth/dreamwidth Commit: 094b2bd3a714dc1dc7b53af1b674d5854f801804 https://github.com/dreamwidth/dreamwidth/commit/094b2bd3a714dc1dc7b53af1b674d5854f801804 Author: Mark Smith mark@dreamwidth.org Date: 2026-02-12 (Thu, 12 Feb 2026)

Changed paths: M cgi-bin/DW/Logic/ProfilePage.pm M cgi-bin/DW/Logic/UserLinkBar.pm M cgi-bin/LJ/Event/UserMessageRecvd.pm M cgi-bin/LJ/User/Message.pm

Log Message:

---

Make private message links respect remote's beta inbox selection

Centralize the inbox beta check in message_url and update all locations that build compose URLs: profile page, user link bar, hoverbox RPC, and email/inbox notification reply links.

Closes #3491

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

To unsubscribe from these emails, change your notification settings at https://github.com/dreamwidth/dreamwidth/settings/notifications

[dreamwidth/dreamwidth] f66c51: Fix multi-answer polls only recording last selecte...

[github]

Branch: refs/heads/main Home: https://github.com/dreamwidth/dreamwidth Commit: f66c51a5054ba9a085cd671abc8a3bc8d63223dc https://github.com/dreamwidth/dreamwidth/commit/f66c51a5054ba9a085cd671abc8a3bc8d63223dc Author: Mark Smith mark@dreamwidth.org Date: 2026-02-12 (Thu, 12 Feb 2026)

Changed paths: M cgi-bin/DW/Controller/Poll.pm

Log Message:

---

Fix multi-answer polls only recording last selected option

The poll form POST handler used Hash::MultiValue's hash access to read checkbox values, which only returns the last value per key. Flatten the Hash::MultiValue into a regular hash with comma-joined values, matching how the RPC/AJAX handler already does it. This only affected the non-JS form submission path.

Closes #3473

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

To unsubscribe from these emails, change your notification settings at https://github.com/dreamwidth/dreamwidth/settings/notifications

[dreamwidth/dreamwidth] 7cdad0: Fix inability to remove retired "other sites" from...

[github]

Branch: refs/heads/main Home: https://github.com/dreamwidth/dreamwidth Commit: 7cdad0c67e2136733120d6331c8e55ffdf1bdae6 https://github.com/dreamwidth/dreamwidth/commit/7cdad0c67e2136733120d6331c8e55ffdf1bdae6 Author: Mark Smith mark@dreamwidth.org Date: 2026-02-12 (Thu, 12 Feb 2026)

Changed paths: M cgi-bin/DW/Controller/Manage/Profile.pm M views/manage/profile.tt

Log Message:

---

Fix inability to remove retired "other sites" from profile (#3475)

The profile edit page never showed legacy userprop-based services (like ICQ) because the template checked IF profile_accts which is always truthy (empty hash ref). Changed to IF profile_accts.size to match the logic in ProfilePage.pm. Also fixed the legacy branch's missing counter parameter and increment, and guarded against inserting empty rows when clearing a legacy entry.

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

To unsubscribe from these emails, change your notification settings at https://github.com/dreamwidth/dreamwidth/settings/notifications

[dreamwidth/dreamwidth] 27bf64: Add Referrer-Policy: same-origin header to prevent...

[github]

Branch: refs/heads/main Home: https://github.com/dreamwidth/dreamwidth Commit: 27bf64affee672e39f361826ab22fa37d9d34a06 https://github.com/dreamwidth/dreamwidth/commit/27bf64affee672e39f361826ab22fa37d9d34a06 Author: Mark Smith mark@dreamwidth.org Date: 2026-02-12 (Thu, 12 Feb 2026)

Changed paths: M cgi-bin/Apache/LiveJournal.pm M cgi-bin/Plack/Middleware/DW/SecurityHeaders.pm

Log Message:

---

Add Referrer-Policy: same-origin header to prevent username leaks

Fixes #3472

When users click external links from their reading page, the browser sends a Referer header containing their subdomain (e.g., bob.dreamwidth.org), allowing external sites to identify individual Dreamwidth users who clicked the link.

Adding Referrer-Policy: same-origin suppresses the Referer header for all cross-origin requests while preserving it for same-origin navigation. Since usernames are embedded in subdomains, weaker policies like origin-when-cross-origin or strict-origin would still leak the username.

Applied globally (not just reading pages) because external links can appear on any page -- entries, comments, profiles, etc.

Audited all Referer header usage in the codebase: - LJ::check_referer() (used ~15 places for CSRF): safe, returns true when referer is absent - Login ret=1 redirect: already broken (reads header_out not header_in) - OpenID continue_to: returnto param is primary, referer is fallback - EditIcons factory check: same-origin, unaffected - Media hotlink protection: check_referer passes on empty referer - VGift/Admin VGift: unaffected (same-origin or handles empty referer) - Tracking management: minor cosmetic impact only (cancel button and viewing style args lost for cross-subdomain navigation)

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

To unsubscribe from these emails, change your notification settings at https://github.com/dreamwidth/dreamwidth/settings/notifications