merged

2025-02-01 03:12:42 +01:00 · 2018-04-07 10:23:49 +01:00 · 2018-04-07 10:23:49 +01:00 · 6d5dc93dbf
commit 6d5dc93dbf
parent 76cd39d11a 0132f4d1da
21 changed files with 348 additions and 117 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,17 @@
 # 1.6.4
 * SECURITY: exploitable /admin access - CVE-2018-9845
 * SECURITY: DoS with pad exports - CVE-2018-9327
 * SECURITY: Remote Code Execution - CVE-2018-9326
 * SECURITY: Pad data leak - CVE-2018-9325
 * Fix: Admin redirect URL
 * Fix: Various script Fixes
 * Fix: Various CSS/Style/Layout fixes
 * NEW: Improved Pad contents readability
 * NEW: Hook: onAccessCheck
 * NEW: SESSIONKEY and APIKey customizable path
 * NEW: checkPads script
 * NEW: Support "cluster mode"
 # 1.6.3
 * SECURITY: Update ejs
 * SECURITY: xss vulnerability when reading window.location.href
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,4 +1,4 @@
-# Developer Guidelines
+# Contributor Guidelines
 (Please talk to people on the mailing list before you change this page, see our section on [how to get in touch](https://github.com/ether/etherpad-lite#get-in-touch))
 ## How to write a bug report
@ -35,7 +35,7 @@ The logfile location is defined in startup script or the log is directly shown i
 To make sure everybody is going in the same direction:
 * easy to install for admins and easy to use for people
 * easy to integrate into other apps, but also usable as standalone
-* using less resources on server side
+* lightweight and scalable
 * extensible, as much functionality should be extendable with plugins so changes don't have to be done in core.
 Also, keep it maintainable. We don't wanna end up as the monster Etherpad was!
@ -92,3 +92,19 @@ You can build the docs e.g. produce html, using `make docs`. At some point in th
 ## Testing
 Front-end tests are found in the `tests/frontend/` folder in the repository. Run them by pointing your browser to `<yourdomainhere>/tests/frontend`.
 ## Things you can help with
 Etherpad is much more than software.  So if you aren't a developer then worry not, there is still a LOT you can do!  A big part of what we do is community engagement.  You can help in the following ways
 * Triage bugs (applying labels) and confirming their existance
 * Testing fixes (simply applying them and seeing if it fixes your issue or not) - Some git experience required
 * Notifying large site admins of new releases
 * Writing Changelogs for releases
 * Creating Windows packages
 * Creating releases
 * Bumping dependencies periodically and checking they don't break anything
 * Write proposals for grants
 * Co-Author and Publish CVEs
 * Work with SFC to maintain legal side of project
 * Maintain TODO page - https://github.com/ether/etherpad-lite/wiki/TODO#IMPORTANT_TODOS
 * Replying to messages on IRC / The Mailing list / Emails
--- a/README.md
+++ b/README.md
@ -1,28 +1,43 @@
 ### This project is looking for a new project lead.  If you wish to help steer Etherpad forward please email contact@etherpad.org
 [![Deps](https://david-dm.org/ether/etherpad-lite.svg?branch=develop)](https://david-dm.org/ether/etherpad-lite)
 [![NSP Status](https://nodesecurity.io/orgs/etherpad/projects/635f6185-35c6-4ed7-931a-0bc62758ece7/badge)](https://nodesecurity.io/orgs/etherpad/projects/635f6185-35c6-4ed7-931a-0bc62758ece7)
 # A really-real time collaborative word processor for the web
-![alt text](https://i.imgur.com/zYrGkg3.gif "Etherpad in action on PrimaryPad")
+![Demo Etherpad Animated Jif](https://i.imgur.com/zYrGkg3.gif "Etherpad in action on PrimaryPad")
 # About
-Etherpad is a really-real time collaborative editor maintained by the Etherpad Community.
+Etherpad is a really-real time collaborative editor scalable to thousands of simultanious real time users.  Unlike all other collaborative tools Etherpad provides full fidelity data export and portability making it fully GDPR compliant.  
-Etherpad is written in JavaScript (99.9%) on both the server and client so it's easy for developers to maintain and add new features.  Because of this Etherpad has tons of customizations that you can leverage.
+**[Try it out](http://beta.etherpad.org)**
 Etherpad is designed to be easily embeddable and provides a [HTTP API](https://github.com/ether/etherpad-lite/wiki/HTTP-API)
 that allows your web application to manage pads, users and groups. It is recommended to use the [available client implementations](https://github.com/ether/etherpad-lite/wiki/HTTP-API-client-libraries) in order to interact with this API. 
 There is also a [jQuery plugin](https://github.com/ether/etherpad-lite-jquery-plugin) that helps you to embed Pads into your website.
 There's also a full-featured plugin framework, allowing you to easily add your own features.  By default your Etherpad is rather sparse and because Etherpad takes a lot of its inspiration from WordPress, plugins are really easy to install and update.  Once you have Etherpad installed you should visit the plugin page and take control.
 Finally, Etherpad comes with translations into most languages!  Users are automatically delivered the correct language for their local settings.
 **Visit [beta.etherpad.org](http://beta.etherpad.org) to test it live.**
 Also, check out the **[FAQ](https://github.com/ether/etherpad-lite/wiki/FAQ)**, really!
 # Installation
-Etherpad works with node v0.10+ (except 6.0 and 6.1).
+## Uber-Quick Ubuntu
 ```
 curl -sL https://deb.nodesource.com/setup_9.x | sudo -E bash -
 sudo apt-get install -y nodejs
 git clone https://github.com/ether/etherpad-lite.git && cd etherpad-lite && bin/run.sh
 ```
 ## GNU/Linux and other UNIX-like systems
 You'll need gzip, git, curl, libssl develop libraries, python and gcc.  
 - *For Debian/Ubuntu*: `apt install gzip git curl python libssl-dev pkg-config build-essential`  
 - *For Fedora/CentOS*: `yum install gzip git curl python openssl-devel && yum groupinstall "Development Tools"`
 - *For FreeBSD*: `portinstall node, npm, curl, git (optional)`
 Additionally, you'll need [node.js](https://nodejs.org) installed, Ideally the latest stable version, we recommend installing/compiling nodejs from source (avoiding apt).
 **As any user (we recommend creating a separate user called etherpad):**
 1. Move to a folder where you want to install Etherpad. Clone the git repository `git clone git://github.com/ether/etherpad-lite.git`
 2. Change into the new directory containing the cloned source code `cd etherpad-lite`
 Now, run `bin/run.sh` and open <http://127.0.0.1:9001> in your browser. 
 Update to the latest version with `git pull origin`. The next start with bin/run.sh will update the dependencies.
 [Next steps](#next-steps).
 ## Windows
@ -52,27 +67,6 @@ If cloning to a subdirectory within another project, you may need to do the foll
 2. Edit the db `filename` in `settings.json` to the relative directory with the file (e.g. `application/lib/etherpad-lite/var/dirty.db`)
 3. Add auto-generated files to the main project `.gitignore`
 [Next steps](#next-steps).
 ## GNU/Linux and other UNIX-like systems
 You'll need gzip, git, curl, libssl develop libraries, python and gcc.  
 - *For Debian/Ubuntu*: `apt install gzip git curl python libssl-dev pkg-config build-essential`  
 - *For Fedora/CentOS*: `yum install gzip git curl python openssl-devel && yum groupinstall "Development Tools"`
 - *For FreeBSD*: `portinstall node, npm, curl, git (optional)`
 Additionally, you'll need [node.js](https://nodejs.org) installed, Ideally the latest stable version, we recommend installing/compiling nodejs from source (avoiding apt).
 **As any user (we recommend creating a separate user called etherpad):**
 1. Move to a folder where you want to install Etherpad. Clone the git repository `git clone git://github.com/ether/etherpad-lite.git`
 2. Change into the new directory containing the cloned source code `cd etherpad-lite`
 Now, run `bin/run.sh` and open <http://127.0.0.1:9001> in your browser. 
 Update to the latest version with `git pull origin`. The next start with bin/run.sh will update the dependencies.
 You like it? [Next steps](#next-steps).
 # Next Steps
 ## Tweak the settings
@ -85,7 +79,7 @@ You should use a dedicated database such as "mysql", if you are planning on usin
 Etherpad is very customizable through plugins. Instructions for installing themes and plugins can be found in [the plugin wiki article](https://github.com/ether/etherpad-lite/wiki/Available-Plugins).
 ## Helpful resources
-The [wiki](https://github.com/ether/etherpad-lite/wiki) is your one-stop resource for Tutorials and How-to's, really check it out! Also, feel free to improve these wiki pages.
+The [wiki](https://github.com/ether/etherpad-lite/wiki) is your one-stop resource for Tutorials and How-to's.
 Documentation can be found in `doc/`.
@ -100,26 +94,38 @@ You can debug Etherpad using `bin/debugRun.sh`.
 If you want to find out how Etherpad's `Easysync` works (the library that makes it really realtime), start with this [PDF](https://github.com/ether/etherpad-lite/raw/master/doc/easysync/easysync-full-description.pdf) (complex, but worth reading).
-## Getting started
+## Contributing
-You know all this and just want to know how you can help?
+Read our [**Developer Guidelines**](https://github.com/ether/etherpad-lite/blob/master/CONTRIBUTING.md)
 Look at the [TODO list](https://github.com/ether/etherpad-lite/wiki/TODO) and our [Issue tracker](https://github.com/ether/etherpad-lite/issues). (Please consider using [jshint](http://www.jshint.com/about/), if you plan to contribute code.)
 Also, and most importantly, read our [**Developer Guidelines**](https://github.com/ether/etherpad-lite/blob/master/CONTRIBUTING.md), really!
 # Get in touch
-Join the [mailinglist](https://groups.google.com/group/etherpad-lite-dev) and make some noise on our busy freenode irc channel [#etherpad-lite-dev](https://webchat.freenode.net?channels=#etherpad-lite-dev)!
+[mailinglist](https://groups.google.com/group/etherpad-lite-dev)
 [#etherpad-lite-dev freenode IRC](https://webchat.freenode.net?channels=#etherpad-lite-dev)!
-# Modules created for this project
+# Languages
 Etherpad is written in JavaScript on both the server and client so it's easy for developers to maintain and add new features.
-* [ueberDB](https://github.com/Pita/ueberDB) "transforms every database into a object key value store" - manages all database access
+# HTTP API
-* [channels](https://github.com/Pita/channels) "Event channels in node.js" - ensures that ueberDB operations are atomic and in series for each key
+Etherpad is designed to be easily embeddable and provides a [HTTP API](https://github.com/ether/etherpad-lite/wiki/HTTP-API)
-* [async-stacktrace](https://github.com/Pita/async-stacktrace) "Improves node.js stacktraces and makes it easier to handle errors"
+that allows your web application to manage pads, users and groups. It is recommended to use the [available client implementations](https://github.com/ether/etherpad-lite/wiki/HTTP-API-client-libraries) in order to interact with this API. 
 # jQuery plugin 
 There is a [jQuery plugin](https://github.com/ether/etherpad-lite-jquery-plugin) that helps you to embed Pads into your website.
 # Plugin Framework
 Etherpad offers a plugin framework, allowing you to easily add your own features.  By default your Etherpad is extremely light-weight and it's up to you to customize your experience.  Once you have Etherpad installed you should visit the plugin page and take control.
 # Translations / Localizations  (i18n / l10n)
 Etherpad comes with translations into all languages thanks to the team at TranslateWiki.
 # FAQ
 Visit the **[FAQ](https://github.com/ether/etherpad-lite/wiki/FAQ)**.
 # Donate!
 * [Flattr](https://flattr.com/thing/71378/Etherpad-Foundation)
 * Paypal - Press the donate button on [etherpad.org](http://etherpad.org)
 * [Bitcoin](https://coinbase.com/checkouts/1e572bf8a82e4663499f7f1f66c2d15a)
 All donations go to the Etherpad foundation which is part of Software Freedom Conservency
 # License
 [Apache License v2](http://www.apache.org/licenses/LICENSE-2.0.html)
--- a/bin/checkAllPads.js
+++ b/bin/checkAllPads.js
@ -0,0 +1,145 @@
 /*
  This is a debug tool. It checks all revisions for data corruption
 */
 if(process.argv.length != 2)
 {
  console.error("Use: node bin/checkAllPads.js");
  process.exit(1);
 }
 //initalize the variables
 var db, settings, padManager;
 var npm = require("../src/node_modules/npm");
 var async = require("../src/node_modules/async");
 var Changeset = require("../src/static/js/Changeset");
 async.series([
  //load npm
  function(callback) {
    npm.load({}, callback);
  },
  //load modules
  function(callback) {
    settings = require('../src/node/utils/Settings');
    db = require('../src/node/db/DB');
    //initalize the database
    db.init(callback);
  },
  //load pads
  function (callback)
  {
    padManager = require('../src/node/db/PadManager');
    padManager.listAllPads(function(err, res)
    {
      padIds = res.padIDs;
      callback(err);
    });
  },
  function (callback)
  {
    async.forEach(padIds, function(padId, callback)
    {
        padManager.getPad(padId, function(err, pad) {
            if (err) {
                callback(err);
            }
            //check if the pad has a pool
            if(pad.pool === undefined )
            {
                console.error("[" + pad.id + "] Missing attribute pool");
                callback();
                return;
            }
            //create an array with key kevisions
            //key revisions always save the full pad atext
            var head = pad.getHeadRevisionNumber();
            var keyRevisions = [];
            for(var i=0;i<head;i+=100)
            {
                keyRevisions.push(i);
            }
            //run trough all key revisions
            async.forEachSeries(keyRevisions, function(keyRev, callback)
            {
                //create an array of revisions we need till the next keyRevision or the End
                var revisionsNeeded = [];
                for(var i=keyRev;i<=keyRev+100 && i<=head; i++)
                {
                    revisionsNeeded.push(i);
                }
                //this array will hold all revision changesets
                var revisions = [];
                //run trough all needed revisions and get them from the database
                async.forEach(revisionsNeeded, function(revNum, callback)
                {
                    db.db.get("pad:"+pad.id+":revs:" + revNum, function(err, revision)
                    {
                        revisions[revNum] = revision;
                        callback(err);
                    });
                }, function(err)
                {
                    if(err)
                    {
                        callback(err);
                        return;
                    }
                    //check if the revision exists
                    if (revisions[keyRev] == null) {
                        console.error("[" + pad.id + "] Missing revision " + keyRev);
                        callback();
                        return;
                    }
                    //check if there is a atext in the keyRevisions
                    if(revisions[keyRev].meta === undefined || revisions[keyRev].meta.atext === undefined)
                    {
                        console.error("[" + pad.id + "] Missing atext in revision " + keyRev);
                        callback();
                        return;
                    }
                    var apool = pad.pool;
                    var atext = revisions[keyRev].meta.atext;
                    for(var i=keyRev+1;i<=keyRev+100 && i<=head; i++)
                    {
                        try
                        {
                            //console.log("[" + pad.id + "] check revision " + i);
                            var cs = revisions[i].changeset;
                            atext = Changeset.applyToAText(cs, atext, apool);
                        }
                        catch(e)
                        {
                            console.error("[" + pad.id + "] Bad changeset at revision " + i + " - " + e.message);
                            callback();
                            return;
                        }
                    }
                    callback();
                });
            }, callback);
        });
    }, callback);
  }
 ], function (err)
 {
  if(err) throw err;
  else 
  { 
    console.log("finished");
    process.exit(0);
  }
 });
--- a/bin/cleanRun.sh
+++ b/bin/cleanRun.sh
@ -38,4 +38,4 @@ bin/installDeps.sh $* || exit 1
 echo "Started Etherpad..."
 SCRIPTPATH=`pwd -P`
-node $SCRIPTPATH/node_modules/ep_etherpad-lite/node/server.js $*
+node "${$SCRIPTPATH}/node_modules/ep_etherpad-lite/node/server.js" $*
--- a/bin/dirty-db-cleaner.py
+++ b/bin/dirty-db-cleaner.py
@ -1,4 +1,4 @@
-#!/usr/bin/python -u
+#!/usr/bin/env PYTHONUNBUFFERED=1 python2
 #
 # Created by Bjarni R. Einarsson, placed in the public domain. Go wild!
 #
--- a/bin/installOnWindows.bat
+++ b/bin/installOnWindows.bat
@ -8,7 +8,15 @@ cmd /C node -e "" || ( echo "Please install node.js ( https://nodejs.org )" && e
 echo _
 echo Ensure that all dependencies are up to date...  If this is the first time you have run Etherpad please be patient.
-cmd /C npm install src/ --loglevel warn || exit /B 1
+
 mkdir node_modules
 cd /D node_modules
 mklink /D "ep_etherpad-lite" "..\src"
 cd /D "ep_etherpad-lite"
 cmd /C npm install --loglevel warn || exit /B 1
 cd /D "%~dp0\.."
 echo _
 echo Copying custom templates...
--- a/doc/api/hooks_server-side.md
+++ b/doc/api/hooks_server-side.md
@ -108,6 +108,18 @@ Usage examples:
 * https://github.com/tiblu/ep_authorship_toggle
 ## onAccessCheck
 Called from: src/node/db/SecurityManager.js
 Things in context:
 1. padID - the pad the user wants to access
 2. password - the password the user has given to access the pad
 3. token - the token of the author
 4. sessionCookie - the session the use has
 This hook gets called when the access to the concrete pad is being checked. Return `false` to deny access.
 ## padCreate
 Called from: src/node/db/Pad.js
--- a/src/node/db/AuthorManager.js
+++ b/src/node/db/AuthorManager.js
@ -25,7 +25,7 @@ var customError = require("../utils/customError");
 var randomString = require('ep_etherpad-lite/static/js/pad_utils').randomString;
 exports.getColorPalette = function(){
-  return ["#ffc7c7", "#fff1c7", "#e3ffc7", "#c7ffd5", "#c7ffff", "#c7d5ff", "#e3c7ff", "#ffc7f1", "#ff8f8f", "#ffe38f", "#c7ff8f", "#8fffab", "#8fffff", "#8fabff", "#c78fff", "#ff8fe3", "#d97979", "#d9c179", "#a9d979", "#79d991", "#79d9d9", "#7991d9", "#a979d9", "#d979c1", "#d9a9a9", "#d9cda9", "#c1d9a9", "#a9d9b5", "#a9d9d9", "#a9b5d9", "#c1a9d9", "#d9a9cd", "#4c9c82", "#12d1ad", "#2d8e80", "#7485c3", "#a091c7", "#3185ab", "#6818b4", "#e6e76d", "#a42c64", "#f386e5", "#4ecc0c", "#c0c236", "#693224", "#b5de6a", "#9b88fd", "#358f9b", "#496d2f", "#e267fe", "#d23056", "#1a1a64", "#5aa335", "#d722bb", "#86dc6c", "#b5a714", "#955b6a", "#9f2985", "#4b81c8", "#3d6a5b", "#434e16", "#d16084", "#af6a0e", "#8c8bd8"];
+  return ["#ffc7c7", "#fff1c7", "#e3ffc7", "#c7ffd5", "#c7ffff", "#c7d5ff", "#e3c7ff", "#ffc7f1", "#ffa8a8", "#ffe699", "#cfff9e", "#99ffb3", "#a3ffff", "#99b3ff", "#cc99ff", "#ff99e5", "#e7b1b1", "#e9dcAf", "#cde9af", "#bfedcc", "#b1e7e7", "#c3cdee", "#d2b8ea", "#eec3e6", "#e9cece", "#e7e0ca", "#d3e5c7", "#bce1c5", "#c1e2e2", "#c1c9e2", "#cfc1e2", "#e0bdd9", "#baded3", "#a0f8eb", "#b1e7e0", "#c3c8e4", "#cec5e2", "#b1d5e7", "#cda8f0", "#f0f0a8", "#f2f2a6", "#f5a8eb", "#c5f9a9", "#ececbb", "#e7c4bc", "#daf0b2", "#b0a0fd", "#bce2e7", "#cce2bb", "#ec9afe", "#edabbd", "#aeaeea", "#c4e7b1", "#d722bb", "#f3a5e7", "#ffa8a8", "#d8c0c5", "#eaaedd", "#adc6eb", "#bedad1", "#dee9af", "#e9afc2", "#f8d2a0", "#b3b3e6"];
 };
 /**
--- a/src/node/db/SecurityManager.js
+++ b/src/node/db/SecurityManager.js
@ -22,6 +22,7 @@
 var ERR = require("async-stacktrace");
 var async = require("async");
 var authorManager = require("./AuthorManager");
 var hooks = require("ep_etherpad-lite/static/js/pluginfw/hooks.js");
 var padManager = require("./PadManager");
 var sessionManager = require("./SessionManager");
 var settings = require("../utils/Settings");
@ -45,6 +46,14 @@ exports.checkAccess = function (padID, sessionCookie, token, password, callback)
    return;
  }
  // allow plugins to deny access
  var deniedByHook = hooks.callAll("onAccessCheck", {'padID': padID, 'password': password, 'token': token, 'sessionCookie': sessionCookie}).indexOf(false) > -1;
  if(deniedByHook)
  {
    callback(null, {accessStatus: "deny"});
    return;
  }
  // a valid session is required (api-only mode)
  if(settings.requireSession)
  {
--- a/src/node/handler/APIHandler.js
+++ b/src/node/handler/APIHandler.js
@ -24,17 +24,19 @@ var fs = require("fs");
 var api = require("../db/API");
 var padManager = require("../db/PadManager");
 var randomString = require("../utils/randomstring");
 var argv = require('../utils/Cli').argv;
 //ensure we have an apikey
 var apikey = null;
 var apikeyFilename = argv.apikey || "./APIKEY.txt";
 try
 {
-  apikey = fs.readFileSync("./APIKEY.txt","utf8");
+  apikey = fs.readFileSync(apikeyFilename,"utf8");
 }
 catch(e)
 {
  apikey = randomString(32);
-  fs.writeFileSync("./APIKEY.txt",apikey,"utf8");
+  fs.writeFileSync(apikeyFilename,apikey,"utf8");
 }
 //a list of all functions
--- a/src/node/handler/ImportHandler.js
+++ b/src/node/handler/ImportHandler.js
@ -90,7 +90,7 @@ exports.doImport = function(req, res, padId)
    //this allows us to accept source code files like .c or .java
    function(callback) {
      var fileEnding = path.extname(srcFile).toLowerCase()
-        , knownFileEndings = [".txt", ".doc", ".docx", ".pdf", ".odt", ".html", ".htm", ".etherpad"]
+        , knownFileEndings = [".txt", ".doc", ".docx", ".pdf", ".odt", ".html", ".htm", ".etherpad", ".rtf"]
        , fileEndingKnown = (knownFileEndings.indexOf(fileEnding) > -1);
      //if the file ending is known, continue as normal
--- a/src/node/hooks/express/admin.js
+++ b/src/node/hooks/express/admin.js
@ -2,7 +2,7 @@ var eejs = require('ep_etherpad-lite/node/eejs');
 exports.expressCreateServer = function (hook_name, args, cb) {
  args.app.get('/admin', function(req, res) {
-    if('/' != req.path[req.path.length-1]) return res.redirect('/admin/');
+    if('/' != req.path[req.path.length-1]) return res.redirect('./admin/');
    res.send( eejs.require("ep_etherpad-lite/templates/admin/index.html", {}) );
  });
 }
--- a/src/node/hooks/express/webaccess.js
+++ b/src/node/hooks/express/webaccess.js
@ -36,13 +36,16 @@ exports.basicAuth = function (req, res, next) {
      var userpass = new Buffer(req.headers.authorization.split(' ')[1], 'base64').toString().split(":")
      var username = userpass.shift();
      var password = userpass.join(':');
-
+      var fallback = function(success) {
-      if (settings.users[username] != undefined && settings.users[username].password === password) {
+        if (success) return cb(true);
        if (settings.users[username] != undefined && settings.users[username].password == password) {
          settings.users[username].username = username;
          req.session.user = settings.users[username];
          return cb(true);
        }
-      return hooks.aCallFirst("authenticate", {req: req, res:res, next:next, username: username, password: password}, hookResultMangle(cb));
+        return cb(false);
      };
      return hooks.aCallFirst("authenticate", {req: req, res:res, next:next, username: username, password: password}, hookResultMangle(fallback));
    }
    hooks.aCallFirst("authenticate", {req: req, res:res, next:next}, hookResultMangle(cb));
  }
@ -126,4 +129,3 @@ exports.expressConfigure = function (hook_name, args, cb) {
  args.app.use(exports.basicAuth);
 }
--- a/src/node/utils/Cli.js
+++ b/src/node/utils/Cli.js
@ -39,5 +39,15 @@ for ( var i = 0; i < argv.length; i++ ) {
    exports.argv.credentials = arg;
  }
  // Override location of settings.json file
  if ( prevArg == '--sessionkey' || prevArg == '-k' ) {
    exports.argv.sessionkey = arg;
  }
  // Override location of settings.json file
  if ( prevArg == '--apikey' || prevArg == '-k' ) {
    exports.argv.apikey = arg;
  }
  prevArg = arg;
 }
--- a/src/node/utils/Settings.js
+++ b/src/node/utils/Settings.js
@ -476,11 +476,12 @@ exports.reloadSettings = function reloadSettings() {
  }
  if (!exports.sessionKey) {
    var sessionkeyFilename = argv.sessionkey || "./SESSIONKEY.txt";
    try {
-      exports.sessionKey = fs.readFileSync("./SESSIONKEY.txt","utf8");
+      exports.sessionKey = fs.readFileSync(sessionkeyFilename,"utf8");
    } catch(e) {
      exports.sessionKey = randomString(32);
-      fs.writeFileSync("./SESSIONKEY.txt",exports.sessionKey,"utf8");
+      fs.writeFileSync(sessionkeyFilename,exports.sessionKey,"utf8");
    }
  } else {
    console.warn("Declaring the sessionKey in the settings.json is deprecated. This value is auto-generated now. Please remove the setting from the file.");
--- a/src/package.json
+++ b/src/package.json
@ -17,7 +17,7 @@
                      "etherpad-require-kernel" : "1.0.9",
                      "resolve"                 : "1.1.7",
                      "socket.io"               : "1.7.3",
-                      "ueberdb2"                : "0.3.6",
+                      "ueberdb2"                : "0.3.8",
                      "express"                 : "4.13.4",
                      "express-session"         : "1.13.0",
                      "cookie-parser"           : "1.3.4",
@ -28,7 +28,7 @@
                      "log4js"                  : "0.6.35",
                      "cheerio"                 : "0.20.0",
                      "async-stacktrace"        : "0.0.2",
-                      "npm"                     : "4.0.2",
+                      "npm"                     : ">=4.0.2",
                      "ejs"                     : "2.5.7",
                      "graceful-fs"             : "4.1.3",
                      "slide"                   : "1.1.6",
@ -55,6 +55,6 @@
  "repository"     : { "type" : "git",
                       "url" : "http://github.com/ether/etherpad-lite.git"
                     },
-  "version"        : "1.6.3",
+  "version"        : "1.6.4",
  "license"        : "Apache-2.0"
 }
--- a/src/static/css/iframe_editor.css
+++ b/src/static/css/iframe_editor.css
@ -31,13 +31,17 @@ body {
 body.grayedout { background-color: #eee !important }
 #innerdocbody {
-  font-size: 12px; /* overridden by body.style */
+  font-size: 16px; /* overridden by body.style */
  font-family:Arial, sans-serif; /* overridden by body.style */
  line-height: 16px; /* overridden by body.style */
  background-color: white;
  color: black;
 }
 .innerdocbody>div{
  padding: 1px;
 }
 body.doesWrap {
  /* white-space: pre-wrap; */
@ -58,9 +62,11 @@ body.doesWrap {
  white-space: normal;
 }
-body.doesWrap:not(.noprewrap) > div{
+@-moz-document url-prefix() {
  body.doesWrap:not(.noprewrap) > div{
    /* Related to #1766 */
    white-space: pre-wrap;
  }
 }
 #innerdocbody {
--- a/src/static/css/pad.css
+++ b/src/static/css/pad.css
@ -3,8 +3,9 @@ html,
 body,
 p {
  margin: 0;
-  padding: 0;
+  padding: 0px;
 }
 .clear {
  clear: both
 }
@ -1071,9 +1072,9 @@ input[type=checkbox] {
      overflow: auto;
    }
    #mycolorpicker {
-      left: -73px;
+      left: 0px;
-      top:auto !important;
+      top:37px !important;
-      bottom:33px !important;
+      position:fixed;
      /* #mycolorpicker: width -#users: width */;
    }
    #editorcontainer {
--- a/src/static/js/ace2_inner.js
+++ b/src/static/js/ace2_inner.js
@ -5404,8 +5404,8 @@ function Ace2Inner(){
            // height is taken to be the top offset of the next line. If we
            // didn't do this special case, we would miss out on any top margin
            // included on the first line. The default stylesheet doesn't add
-            // extra margins, but plugins might.
+            // extra margins/padding, but plugins might.
-            h = b.nextSibling.offsetTop;
+            h = b.nextSibling.offsetTop - window.getComputedStyle(doc.body).getPropertyValue("padding-top");
          } else {
            h = b.nextSibling.offsetTop - b.offsetTop;
          }
--- a/src/templates/export_html.html
+++ b/src/templates/export_html.html
@ -139,6 +139,5 @@ ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol > ol {
 </head>
 <body>
 <%- body %>
 <div style="display:none"><a href="/javascript" data-jslicense="1">JavaScript license information</a></div>
 </body>
 </html>