libre-service.eu/pad.libre-service.eu-etherpad
libre-service.eu/pad.libre-service.eu-etherpad
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-01-19 14:13:34 +01:00
Code Issues Projects Releases Wiki Activity
8844 commits 206 branches 105 tags 123 MiB
Commit graph

210 commits

Author SHA1 Message Date
Richard Hansen
de0a450aec Docker: If DB_* env var is unset, remove the corresponding setting 2021-06-06 14:00:52 -04:00
Richard Hansen
428f8d1684 Settings: Deprecate null as the default default value 2021-06-06 14:00:52 -04:00
Richard Hansen
c7bb18c6da Settings: Support null and undefined env var substitutions 2021-06-06 14:00:51 -04:00
Richard Hansen
8384a7a67b deps: Bump ueberdb2 2021-04-20 21:56:44 +02:00
Richard Hansen
ea8846154f favicon: Redo favicon customization 2021-04-20 13:33:55 -04:00
webzwo0i
0e854a5892 fix wrong changelog entry 2021-03-22 17:26:55 +01:00
webzwo0i
826826bd37 add changelog for 1.8.13 2021-03-21 15:42:16 +00:00
John McLear
dabb4917ed
changelog 1.8.12 2021-03-05 07:27:31 +00:00
Richard Hansen
3667f2ca0e Ace2Inner: Fix missing spread operator on args 
This fixes a bug that was introduced in commit
c38c34bef4.
 2021-02-28 08:39:47 +00:00
Richard Hansen
16e6496eb4 deps: Update ueberdb2 to fix dirty DB bug 2021-02-28 08:03:20 +00:00
John McLear
c394577695
changelog 1.8.11 2021-02-27 16:45:02 +00:00
John McLear
6efa41ec23
update Changelog 1.9.10 2021-02-25 18:25:00 +00:00
John McLear
c6cd4c38fd
Update CHANGELOG.md 2021-02-22 09:46:14 +00:00
John McLear
bdb78adb3f Update CHANGELOG.md 2021-02-21 13:50:55 +00:00
Richard Hansen
63e876f53d docs: Start CHANGELOG for 1.8.9 2021-02-18 03:56:41 -05:00
John McLear
306e839bd8 docs: security notification 2021-02-15 12:45:31 -05:00
John McLear
b7e88cb904 security: New setting for Socket.IO maxHttpBufferSize 2021-02-15 12:45:31 -05:00
Richard Hansen
648e7c7342 docs: Mention improved import UX in CHANGELOG.md 2021-02-14 03:58:53 -05:00
Richard Hansen
e674d9789e
express: Change httpUptime to httpStartTime (#4777) 
It's better to provide a primitive value and let the consumer of the
metric do math if desired.

Co-authored-by: John McLear <john@mclear.co.uk>
 2021-02-14 07:50:10 +00:00
John McLear
13a0b0688f
docs: changelog update (#4776) 
Co-authored-by: Richard Hansen <rhansen@rhansen.org>
 2021-02-14 01:16:41 -05:00
Richard Hansen
ac52fb8a9d express: New httpUptime metric 2021-02-13 10:02:28 +00:00
Richard Hansen
50929fe7f7 express: Call expressConfigure, expressCreateServer hooks asynchronously 2021-02-12 07:08:51 +00:00
Richard Hansen
2301c6ec83 pad: Don't throw on socket.io error 2021-02-11 17:25:09 +00:00
John McLear
5d96cf9754
changelog 1.8.8 (#4725) 
* changelog 1.8.8

* for squash: refine changelog

Co-authored-by: Richard Hansen <rhansen@rhansen.org>
 2021-02-07 22:24:19 +00:00
John McLear
2ea8ea1275 restructure: move bin/ and tests/ to src/ 
Also add symlinks from the old `bin/` and `tests/` locations to avoid
breaking scripts and other tools.

Motivations:

  * Scripts and tests no longer have to do dubious things like:

        require('ep_etherpad-lite/node_modules/foo')

    to access packages installed as dependencies in
    `src/package.json`.

  * Plugins can access the backend test helper library in a non-hacky
    way:

        require('ep_etherpad-lite/tests/backend/common')

  * We can delete the top-level `package.json` without breaking our
    ability to lint the files in `bin/` and `tests/`.

    Deleting the top-level `package.json` has downsides: It will cause
    `npm` to print warnings whenever plugins are installed, npm will
    no longer be able to enforce a plugin's peer dependency on
    ep_etherpad-lite, and npm will keep deleting the
    `node_modules/ep_etherpad-lite` symlink that points to `../src`.

    But there are significant upsides to deleting the top-level
    `package.json`: It will drastically speed up plugin installation
    because `npm` doesn't have to recursively walk the dependencies in
    `src/package.json`. Also, deleting the top-level `package.json`
    avoids npm's horrible dependency hoisting behavior (where it moves
    stuff from `src/node_modules/` to the top-level `node_modules/`
    directory). Dependency hoisting causes numerous mysterious
    problems such as silent failures in `npm outdated` and `npm
    update`. Dependency hoisting also breaks plugins that do:

        require('ep_etherpad-lite/node_modules/foo')
 2021-02-04 17:15:08 -05:00
freddii
ea202e41f6 docs: fixed typos 2021-02-03 00:30:07 +01:00
John McLear
0cc8405e9c Bump minimum required Node.js version to 10.17.0 
This makes it possible to use fs.promises.
 2021-01-30 17:00:40 -05:00
Richard Hansen
edbe6d5387 Bump ueberDB to get speed improvements 2021-01-11 09:23:08 +00:00
Richard Hansen
a55dd73f2b Typo fix: checkPlugins.js -> checkPlugin.js 2021-01-08 19:02:55 -05:00
John McLear
998c80607e changelog: updated changelog 2020-12-23 16:18:28 -05:00
Richard Hansen
b82bf5c726 Drop support for Internet Explorer 2020-12-19 19:13:31 +00:00
Richard Hansen
1ad9b1efbb Update CHANGELOG.md 
Add new entries and refine wording/formatting of existing entries.
 2020-11-10 07:22:22 +00:00
John McLear
89667f1d4f
update changelog for release (#4475) 2020-11-08 10:03:22 +00:00
John McLear
66df0a572f
Security: FEATURE REMOVAL: Remove all plain text password logic and ui (#4178) 
This will be a breaking change for some people.  

We removed all internal password control logic.  If this affects you, you have two options:

1. Use a plugin for authentication and use session based pad access (recommended).
1. Use a plugin for password setting.

The reasoning for removing this feature is to reduce the overall security footprint of Etherpad.  It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own).
 2020-10-07 13:43:54 +01:00
Richard Hansen
34b232d658
Update CHANGELOG.md with the changes so far (#4393) 2020-10-06 09:16:21 +02:00
Richard Hansen
df7fa1fd41
changelog: Mention fix for authz bypass vulnerability in 1.8.6 (#4318) 2020-09-20 19:21:46 +00:00
Stefan Mueller
299bd962b6 Update version to 1.8.6 and add changelog informations 2020-09-18 21:14:19 +02:00
Stefan Mueller
5e03a3b0fe Set changelog informations for new version 2020-09-08 22:10:27 +02:00
John McLear
2a28ff8526
Changelog (#4181) 2020-07-19 23:48:31 +01:00
John McLear
e22574c40f
Changelog 2020-06-10 15:43:09 +01:00
muxator
4365598658 release: prepare for 1.8.4 2020-05-15 02:09:18 +02:00
muxator
5e6af287a5 release: prepare for 1.8.3 2020-04-27 03:24:23 +02:00
muxator
684f374ece runtime: require node >= 10.13.0 LTS 
At the moment, NodeJS 10.x is the lowest supported LTS version. NodeJS 8.x is no
longer supported upstream.

Implements #3835.
Planned in #3650.
 2020-04-09 04:43:37 +02:00
John McLear
babf67175c undomodule: disallow undoing "clear authorship colors" 
Clearing the authorship colors of a document with at least two authors, and then
undoing that action caused a disconnect from the pad.
This change disallows undoing clearing authorship colors in order to prevent
the problem from affecting users, and adds the relative test coverage.

This is a change of behaviour, and is documented in the changelog.

Fixes #2802 (sidestepping it).
 2020-04-08 15:20:37 +02:00
muxator
a817acbbcc security: when served over https, set the "secure" flag for "express_sid" and "language" cookie 
The mechanism used for determining if the application is being served over SSL
is wrapped by the "express-session" library for "express_sid", and manual for
the "language" cookie, but it's very similar in both cases.

The "secure" flag is set if one of these is true:

1. we are directly serving Etherpad over SSL using the native nodejs
   functionality, via the "ssl" options in settings.json

2. Etherpad is being served in plaintext by nodejs, but we are using a reverse
   proxy for terminating the SSL for us;
   In this case, the user has to be instructed to properly set trustProxy: true
   in settings.json, and the information wheter the application is over SSL or
   not will be extracted from the X-Forwarded-Proto HTTP header.

Please note that this will not be compatible with applications being served over
http and https at the same time.

The change on webaccess.js amends 009b61b338, which did not work when the SSL
termination was performed by a reverse proxy.

Reference for automatic "express_sid" configuration:
https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure

Closes #3561.
 2019-12-07 04:36:01 +01:00
ahmadine
0a0b90c4d0 referer: change referrer policy. Stop sending referers as much as possible 
Pull request with discussion: https://github.com/ether/etherpad-lite/pull/3636

What's already there:
* `meta name=referrer`: already done in 1.6.1:
  https://github.com/ether/etherpad-lite/pull/3044

  https://caniuse.com/#feat=referrer-policy
  https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta
  (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1])

The previous two commits (by @joelpurra) I backported in this batch:
* `<a rel=noreferrer>`: a pull request denied before:
  https://github.com/ether/etherpad-lite/pull/2498

  https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
  https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types
  (Firefox>=37, I can't find more info about support)

This commit adds the following:
* `<a rel="noopener">`: fixing a not-so-well-known way to extract referer
  https://html.spec.whatwg.org/multipage/links.html#link-type-noopener
  (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge)

* `Referrer-Policy: same-origin`: the last bastion of referrer security
  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
  (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge)

meta name=referrer wasn't enough. I happened to leak a few referrers with my
Firefox browser, though for some browsers it could have been enough.

[1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it
    most probably incompatible (but I may be wrong on that, they may support
    both, but I have no way to test it currently). The next Edge release will be
    based on Chromium, so for that the Chrome version applies.
 2019-11-25 00:05:40 +01:00
muxator
7e44dc569b changelog: mention the conditional user creation feature (now that it's fixed) 2019-11-02 23:37:59 +01:00
muxator
4f53b35bcb changelog: reflect the fact that next release will be 1.8-beta.1 
This change should have been part of 84479851fe.
 2019-11-02 23:37:01 +01:00
muxator
55fb10c685 release: prepare for 1.8.0 2019-10-19 03:42:13 +02:00
muxator
705cc6f5e4 Change everywhere the link to https://etherpad.org (it was plain http) 2019-04-16 00:54:54 +02:00
muxator
a6656102d8 CHANGELOG.md: link to https://translatewiki.net instead of plain http 2019-04-16 00:53:00 +02:00
muxator
4f0a2785da release: prepare for 1.7.5 
Written the changelog and updated package.json.
 2019-01-26 00:16:03 +01:00
muxator
4408a1e505 release: prepare for 1.7.0 
Written the changelog and updated package.json.

From now on, releases will be cut from develop, and merged directly into master.

Each release will be a tag on the master branch (e.g. 1.7.0).
A "release/1.7.0" branch will eventually be created only if/when a hotfix will
be needed.
 2018-08-17 00:18:31 +02:00
muxator
60c1036ecb
changelog: put <ol> in backticks 
Github's Markdown renderer broke the layout of the readme file.
Putting `<ol>` in backticks keeps it happy.
 2018-07-20 12:33:45 +02:00
muxator
bfec44e346 Release version 1.6.6 2018-05-05 00:53:59 +02:00
muxator
e13ae0aec5 changelog: better specified CVE description 
Previous commit was wrong.
Fixes #3372, really.
 2018-05-04 23:24:58 +02:00
muxator
10d555bc91 changelog: better specified CVE description 
fixes #3372
 2018-05-04 23:15:22 +02:00
muxator
3eb3e301a2 manually updated CHANGELOG.md 
due to createRelease.sh not catching an error from sed and continuing:
   sed: -e expression #1, char 66: unterminated `s' command
 2018-04-10 00:50:28 +02:00
John McLear
0132f4d1da Include CVE # 2018-04-07 10:13:09 +01:00
John McLear
c34350f307 Beginning to make release 2018-04-07 09:22:13 +01:00
Stefan
1e25e7fc77 Release version 1.6.3 2018-02-03 12:57:22 +01:00
Stefan (Gared)
e84c696225 Updated CHANGELOG.md 2017-11-04 17:38:59 +01:00
Jonah Duckles
fcde66050e Fix markdown H1 2017-05-30 13:34:07 +12:00
Stefan
9f51432175 Update CHANGELOG.md 2016-12-23 22:12:18 +01:00
Stefan
5ed9f2736a Add version 1.6.0 changelogs 2016-04-24 21:32:21 +02:00
Stefan
6fae670476 Release version 1.5.7 (changelog) 2015-08-05 19:25:11 +02:00
Stefan
2393ea01f0 Release version 1.5.6 2015-04-16 23:06:24 +02:00
Stefan
64d94cb346 Release version 1.5.5 2015-04-13 17:27:14 +02:00
Stefan
1b9a51c879 Release version 1.5.4 2015-04-11 10:19:02 +02:00
John McLear
fc60ddded1 changelog 2015-04-10 22:23:07 +01:00
Stefan
c0260bcc40 Add changelog for v1.5.2 2015-03-15 14:28:47 +01:00
Stefan
c80a64a379 Update CHANGELOG.md 2015-01-24 19:24:20 +01:00
John McLear
af7cd91a82 formatting 2015-01-24 15:14:19 +00:00
John McLear
e41b3ae0a3 updated CL 2015-01-24 15:13:26 +00:00
John McLear
95af55992a changelog 2015-01-01 17:13:50 +00:00
John McLear
2530bf0a86 add changelog and bump v number 2014-09-06 17:25:09 +01:00
John McLear
e23af7e439 changelog, package file and fix for redo 2014-03-26 15:44:04 +00:00
Marcel Klehr
e8c69a5474 Update changelog and bump version 2013-10-21 20:18:16 +02:00
Marcel Klehr
b9cc91e6ad Update CHANGELOG 2013-10-12 20:35:23 +02:00
Marcel Klehr
74bc2bd761 Prepare release 2013-10-12 14:16:06 +02:00
John McLear
ba1a5da76d bump and changelog 2013-06-24 13:35:17 +01:00
John McLear
4989f56673 undo avoid changeset spam as it breaks functionality 2013-04-15 14:36:25 +01:00
John McLear
2c8699506d push express back as it breaks sessions 2013-04-15 12:21:10 +01:00
John McLear
b137f301e2 MAGIQ 2013-04-11 18:34:40 +01:00
John McLear
f4123d2904 bump v and readme 2013-04-11 17:04:54 +01:00
John McLear
35d84144db changelog and package file 2013-04-04 00:59:51 +01:00
John McLear
af80e37ac7 missed this one.. 2013-03-23 15:03:56 +00:00
John McLear
ab2e805aa0 changelog 2013-03-23 14:50:00 +00:00
Marcel Klehr
54433db47f release v1.2.9 2013-03-15 21:43:29 +01:00
John McLear
0c9214bb27 bump v and changelog 2013-03-06 15:08:27 +00:00
John McLear
7f9a51e614 changelog 2013-03-05 13:33:09 +00:00
John McLear
c37875e09a update changelog 2013-02-18 19:33:31 +00:00
John McLear
fb97920163 update changelog 2013-02-18 19:32:07 +00:00
John McLear
3325aa8468 bit of info about deps 2013-02-10 21:15:00 +00:00
John McLear
d7992a1366 begin putting files together for a release 2013-02-10 21:13:51 +00:00
John McLear
594d53ee8b changelog and package file 2013-01-30 14:58:23 +00:00
John McLear
10c2ac2a69 have a nice changelog makes it easier for when we release 2013-01-28 21:52:14 +00:00
John McLear
4b5d993f0d bump v and create CHANGELOG 2013-01-20 13:45:16 +00:00
John McLear
292db5fc44 prepare for release 2013-01-18 13:29:43 +00:00
John McLear
fadfa6772e changelog and package file 2013-01-07 19:31:29 +00:00
Marcel Klehr
53459fe160 release v1.2.3 2012-12-31 15:57:16 +01:00
John McLear
b681359dfa bump version # in package and update CHANGELOG 2012-12-27 20:09:14 +00:00
johnyma22
a75d17f55a More stuff into changelog 2012-11-21 18:48:33 +00:00
johnyma22
064051a30d Bump stuff to 1.2.1 2012-11-21 18:20:54 +00:00
Marcel Klehr
6d2391dba6 Fix version number in changelog and package.json 2012-11-14 22:02:40 +01:00
johnyma22
6ede651813 v1.2 news into changelog 2012-11-14 19:30:46 +00:00
Marcel Klehr
9cec0391e2 Improve changelog v1.1.5 2012-10-31 16:15:12 +01:00
johnyma22
de1c271776 CHANGELOG stuff 2012-10-30 13:54:49 +00:00
John McLear
afb868fd2b Update CHANGELOG.md 2012-05-30 00:20:03 +02:00
Peter 'Pita' Martischka
7e4bba0e31 started a changelog 2011-08-23 18:59:32 +01:00