* Change systemPreferences.isDarkMode() to nativeTheme.shouldUseDarkColors
* Remove vibrancy parameter to BrowserWindow
* Update curve25519-n; removes context-aware deprecation warning
* Set app.allowRendererProcessReuse = true to remove warning
* Move from deprecated setters to direct property set
* Serialized sender certificates: Store less, store plain object
* isMenuBarAutoHide -> autoHideMenuBar
* UUID: Fix sealed sender indicator on message details screen
* Data._cleanData: Remove function keys, handle null in array
Also:
- run _cleanData when saving attachment download jobs
- remove job from jobs table when the send itself throws error
* _cleanData: Don't dig into strings, booleans, or numbers
* getPropsForMessageDetail: Make it clear what we're reducing
Co-authored-by: Ken Powers <ken@signal.org>
* writeToDownloads: Add missing await
* Remove window.isFocused() - not used anywhere!
* Update typescript, p-queue, make necessary changes to fix build
* Slow down sender certificate retries with no existing cert
* Slow down signed prekey refreshes when unlinked - 5s -> 5m
* Update protobufjs to 4.1.2
* If focus was set to document.body during archive, focus left pane
* Shortcut Guide: Add space between text and shortcut highlight
* Ensure that draft attachment can be closed with click on X button
* Move to keyDown event for user idle checking
* Additional resiliency around avatars; check for them on on-disk
* Increase timeouts to preserve websocket connection
* On startup, be resilient to malformed JSON in log files
* Don't crash if shell.openExternal returns an error
* Whenever we request a contact/group sync, also request block list
* Avatar popup: Ensure styling is mouse- and keyboard-appropriate
* MainHeader: Create popperRoot on demand, not on mount
* CompositionInput: Disable default Ctrl-/ shortcut
* Update libphonenumber
The `SUPPORTED_MEDIA_DOMAINS` regex whitelist, used to check if media link comes from trusted hosts is invalid. It does not expose a security risk or I couldn't find an example for such as of now, but if someone would add a subdomain host to it using the same pattern, it would.
A counter example below:
```js
const SUPPORTED_MEDIA_DOMAINS = /^([^.]+\.)*(ytimg.com|cdninstagram.com|redd.it|imgur.com|fbcdn.net|pinimg.com)$/i;
console.log('Testing redd.it: ' + SUPPORTED_MEDIA_DOMAINS.test('redd.it'));
console.log('Testing reddjit: ' + SUPPORTED_MEDIA_DOMAINS.test('reddjit'));
```
Output:
```
$ node example.js
Testing redd.it: true
Testing reddjit: true
```
---
To be more clear, if someone would extend the regex in the future with e.g. `media.redd.it`, an attacker would be able to create a `mediaXredd.it` domain and bypass the whitelist.
---
A visualisation of the incorrect regex can be found on https://regexper.com/#%5E%28%5B%5E.%5D%2B%5C.%29*%28ytimg.com%7Ccdninstagram.com%7Credd.it%7Cimgur.com%7Cfbcdn.net%7Cpinimg.com%29%24
The issue has been found with LGTM: b626ef0b64/files/js/modules/link_previews.js (xdabadfc2bf20f0c3):1
* Add new requiredProtocolVersion field to DataMessage
* Message.requiredProtocolVersion, warning if version mot supported
* Update strings; limit width; new left pane preview text
* Handle incoming padded attachments
* Attachments v2 - multipart form POST, and direct CDN GET access
* Pad outgoing attachments before encryption (disabled for now)
Remove Android length warning
Handle incoming long message attachments
Show long download pending status in message bubble
Fix the width of the smallest spinner
Remove Android length warning from HTML templates
