This is a fix for public messages, where a malicious pod could spoof a message from someone a user was connected to, as the verified signatures were not checked that the object was also from said sender. This hole only affected public messages, and the private part of code had the correct checks
THX to s-f-s(Stephan Schulz) for reporting and tracking down this issue, and props to Raven24(florian.staudacher@gmx.at) for helping me test the patch
* Move all Diaspora-specific javascripts to app/assets/javascripts
* Move all vendored javascripts to vendor/assets/javascripts
* Add the appropriate Sprockets require directives to make sure
everything gets included in the right order
* Remove Jammit dependencies
* Fix all templates that were using Jammit's include_javascripts helper
* Add handlebars_assets gem for compiling Handlebars templates
* Move all Handlebars templates to app/assets/templates and rename
from .handlebars to .jst.hbs (this is to keep them in the same
global JST namespace that they were in under Jammit)
* Add public/assets to .gitignore since these files can and should
be re-generated by Heroku or Capistrano during each deploy
* Fix a few Handlebars templates that were looking for images in the
wrong location (I'm sure there are others, but it's late)
* Configure application.rb to precompile all javascript and css assets
that were compiled by Jammit in the Rails 3.0 code
