libre-service.eu/pad.libre-service.eu-etherpad
libre-service.eu/pad.libre-service.eu-etherpad
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-01-19 14:13:34 +01:00
Code Issues Projects Releases Wiki Activity
8868 commits 206 branches 105 tags 123 MiB
Commit graph

210 commits

Author SHA1 Message Date
Richard Hansen
1e604add99 deps: Require Node.js 12.17.0 or later 
This makes it possible to use dynamic `import()`.
 2022-01-27 01:27:10 -05:00
Richard Hansen
692749d1cf express-session: Extend session lifetime if user is active 2022-01-17 21:45:56 -05:00
Richard Hansen
023e58cfe6 express-session: Set a finite cookie lifetime 2022-01-17 21:45:56 -05:00
Richard Hansen
ec10700dff express-session: Don't save uninitialized sessions 
This should avoid frivolous session records, such as when the user
gets a 404 (unless login was required to see the 404).
 2022-01-17 21:45:56 -05:00
Richard Hansen
945e6848e2 SessionStore: Delete DB record when session expires 
This only deletes records known to the current Etherpad instance --
old records from previous runs are not automatically cleaned up.
 2022-01-17 21:45:56 -05:00
Richard Hansen
02a56dc58c PadMessageHandler: Allow handleMessageSecurity to grant one-time write access 2021-12-21 17:23:56 -05:00
Richard Hansen
31b025bd9d PadMessageHandler: Pass session info to handleMessageSecurity hook 2021-12-21 17:23:56 -05:00
Richard Hansen
1b52c9f0c4 PadMessageHandler: Deprecate client context property 2021-12-21 17:23:56 -05:00
Richard Hansen
f1856cf95a Docker: Use new /health endpoint for HEALTHCHECK 2021-12-21 17:19:56 -05:00
Richard Hansen
696f9c3367 specialpages: New /health endpoint for health checking 
This endpoint is intended to conform with:
https://www.ietf.org/archive/id/draft-inadarei-api-health-check-06.html
 2021-12-21 17:19:56 -05:00
Richard Hansen
649fbdccf5 express: Move static handlers to expressPreSession 
This avoids the need to exempt the paths from authentication checks,
and it eliminates unnecessary express-session state.
 2021-12-20 20:08:19 -05:00
Richard Hansen
72f4ae444d express: New expressPreSession server-side hook 2021-12-20 20:08:19 -05:00
webzwo0i
8b73f2ee70 padurlsanitize: Don't crash if sanitizePadId() throws 
Let Express send a 500 status code to the user instead.

Co-authored-by: Richard Hansen <rhansen@rhansen.org>
 2021-12-18 18:47:01 -05:00
Richard Hansen
d94f380141 API: Fix race conditions in setText, appendText, restoreRevision 2021-12-14 01:02:00 -05:00
Richard Hansen
4d457f6296 ImportHandler: Pass ImportError to import hook 2021-12-10 02:34:13 -05:00
John McLear
6cca27dea6 API: getText with old revision should only return text, not atext 
Co-authored-by: Richard Hansen <rhansen@rhansen.org>
 2021-12-05 18:50:39 -05:00
Richard Hansen
99fae2ec6e pad: Fix application of padOptions values from settings.json 2021-12-04 23:06:17 -05:00
Richard Hansen
f00b1ae89b Merge branch 'master' into develop 2021-11-28 23:10:45 -05:00
Richard Hansen
142a47cbbc Release v1.8.16 2021-11-28 23:03:58 -05:00
Richard Hansen
777d045246 GroupManager: Clean up any mappings when deleting a group 2021-11-28 14:06:47 +00:00
Richard Hansen
b7065eb9a0 Add notable enhancements/fixes to 1.8.15 changelog 2021-11-25 18:39:01 -05:00
Richard Hansen
bbd71cea22 Refine CHANGELOG.md 2021-11-25 18:39:01 -05:00
Richard Hansen
89fe40e080 Changeset: Migrate from OpIter to deserializeOps() 2021-11-23 01:21:49 -05:00
Richard Hansen
657492e191 Changeset: Turn newOp() into a real class 2021-11-23 01:21:12 -05:00
Richard Hansen
dab881139d Pad: Fix copyPadWithoutHistory apool corruption bug 2021-11-22 18:40:22 -05:00
Richard Hansen
d74dd235a4 Changeset: Replace appendATextToAssembler() with a generator 2021-11-22 18:10:37 -05:00
Richard Hansen
f1eb7a25a6 Changeset: Migrate to the new attribute API 2021-11-21 04:11:41 -05:00
Richard Hansen
6cf2055199 Changeset: New API to simplify attribute processing 2021-11-21 04:11:41 -05:00
Richard Hansen
8274e01d34 Add notable enhancements/fixes to 1.8.15 changelog 2021-11-21 01:40:24 -05:00
Richard Hansen
978555653b Refine CHANGELOG.md 2021-11-21 01:40:24 -05:00
John McLear
b540c2bc48 release: Add version to changelog 2021-11-19 15:27:40 +00:00
Richard Hansen
a65498e849 Changeset: Move SmartOpAssembler.appendOpWithText() to a standalone function 2021-11-14 04:17:00 -05:00
Richard Hansen
4a65c2c8ff Changeset: Unexport unnecessarily exported functions 
These functions aren't used outside of this file.
 2021-11-13 17:44:38 -05:00
Richard Hansen
085bc8cbb3 plugins: Don't create .ep_initialized files 
These files cause problems with Docker images and read-only
directories/mounts, and they have dubious value (any install-time
setup should instead be done at startup).
 2021-11-13 17:43:33 -05:00
Richard Hansen
dd8ec4e291 Changeset: Remove unused lastIndex() method from op iterator 2021-11-07 23:24:39 -05:00
Richard Hansen
0fd2a46783 Changeset: Remove unused start index parameter for opIterator() 2021-11-07 23:24:39 -05:00
Richard Hansen
26675c5019 chat: New chatNewMessage server-side hook 2021-11-01 01:54:29 -04:00
Richard Hansen
9fbd2e5c3d chat: New chatSendMessage client-side hook 2021-11-01 01:54:28 -04:00
Richard Hansen
f1f4ed7c58 chat: Allow chatNewMessage hook to control rendering 2021-11-01 01:54:28 -04:00
Richard Hansen
2597b940f4 chat: Give chatNewMessage hook access to the raw message object 2021-11-01 01:54:28 -04:00
Richard Hansen
e28c9ffc97 tests: Support injecting hook functions during pad load 2021-11-01 01:54:28 -04:00
Richard Hansen
9aaf781548 PadMessageHandler: Modernize userLeave hook context properties 2021-10-30 03:07:44 -04:00
Richard Hansen
a6d060d67b PadMessageHandler: Replace clientReady hook with new userJoin hook 2021-10-30 03:07:44 -04:00
Richard Hansen
5cbbcbcee6 pad: Simplify reload after .etherpad import 
The old "switch to pad" logic looked buggy, and it complicates pad
initialization. Forcing a refresh after importing an `.etherpad` file
isn't much of a UX downgrade.
 2021-10-29 19:27:33 -04:00
Richard Hansen
aec619cc0b log4js: Deprecate the logconfig setting 
This will make it possible to upgrade log4js in a future version.
 2021-09-28 04:30:26 -04:00
webzwo0i
dbd76f0c5d export: Don't leak writeable pad ID when exporting 
Co-authored-by: Richard Hansen <rhansen@rhansen.org>
 2021-09-15 18:32:06 -04:00
Richard Hansen
0d65dc8a44 pad: Add clientVars to postAceInit hook context 
This allows plugins to avoid the `clientVars` global variable.
 2021-08-25 14:59:17 -04:00
Richard Hansen
c816c20bc7 HTML import: Replace cheerio with jsdom to simplify contentcollector 
Cheerio provides jQuery-like objects but they wrap DOM Node-like
objects that are not 100% API compatible with the DOM spec. Because of
this, contentcollector, which is used in browsers and in Node.js
during HTML import, has until now needed to support two different
APIs. This commit modifies HTML import to use jsdom instead of cheerio
and simplifies contentcollector.
 2021-08-12 13:53:23 -04:00
webzwo0i
f55ccd2cdd changelog 1.8.14 2021-07-04 07:01:07 +02:00
Richard Hansen
ef1ba21104 deps: Drop support for Node.js < 12.13.0 2021-06-14 23:17:17 +02:00
Richard Hansen
de0a450aec Docker: If DB_* env var is unset, remove the corresponding setting 2021-06-06 14:00:52 -04:00
Richard Hansen
428f8d1684 Settings: Deprecate null as the default default value 2021-06-06 14:00:52 -04:00
Richard Hansen
c7bb18c6da Settings: Support null and undefined env var substitutions 2021-06-06 14:00:51 -04:00
Richard Hansen
8384a7a67b deps: Bump ueberdb2 2021-04-20 21:56:44 +02:00
Richard Hansen
ea8846154f favicon: Redo favicon customization 2021-04-20 13:33:55 -04:00
webzwo0i
0e854a5892 fix wrong changelog entry 2021-03-22 17:26:55 +01:00
webzwo0i
826826bd37 add changelog for 1.8.13 2021-03-21 15:42:16 +00:00
John McLear
dabb4917ed
changelog 1.8.12 2021-03-05 07:27:31 +00:00
Richard Hansen
3667f2ca0e Ace2Inner: Fix missing spread operator on args 
This fixes a bug that was introduced in commit
c38c34bef4.
 2021-02-28 08:39:47 +00:00
Richard Hansen
16e6496eb4 deps: Update ueberdb2 to fix dirty DB bug 2021-02-28 08:03:20 +00:00
John McLear
c394577695
changelog 1.8.11 2021-02-27 16:45:02 +00:00
John McLear
6efa41ec23
update Changelog 1.9.10 2021-02-25 18:25:00 +00:00
John McLear
c6cd4c38fd
Update CHANGELOG.md 2021-02-22 09:46:14 +00:00
John McLear
bdb78adb3f Update CHANGELOG.md 2021-02-21 13:50:55 +00:00
Richard Hansen
63e876f53d docs: Start CHANGELOG for 1.8.9 2021-02-18 03:56:41 -05:00
John McLear
306e839bd8 docs: security notification 2021-02-15 12:45:31 -05:00
John McLear
b7e88cb904 security: New setting for Socket.IO maxHttpBufferSize 2021-02-15 12:45:31 -05:00
Richard Hansen
648e7c7342 docs: Mention improved import UX in CHANGELOG.md 2021-02-14 03:58:53 -05:00
Richard Hansen
e674d9789e
express: Change httpUptime to httpStartTime (#4777) 
It's better to provide a primitive value and let the consumer of the
metric do math if desired.

Co-authored-by: John McLear <john@mclear.co.uk>
 2021-02-14 07:50:10 +00:00
John McLear
13a0b0688f
docs: changelog update (#4776) 
Co-authored-by: Richard Hansen <rhansen@rhansen.org>
 2021-02-14 01:16:41 -05:00
Richard Hansen
ac52fb8a9d express: New httpUptime metric 2021-02-13 10:02:28 +00:00
Richard Hansen
50929fe7f7 express: Call expressConfigure, expressCreateServer hooks asynchronously 2021-02-12 07:08:51 +00:00
Richard Hansen
2301c6ec83 pad: Don't throw on socket.io error 2021-02-11 17:25:09 +00:00
John McLear
5d96cf9754
changelog 1.8.8 (#4725) 
* changelog 1.8.8

* for squash: refine changelog

Co-authored-by: Richard Hansen <rhansen@rhansen.org>
 2021-02-07 22:24:19 +00:00
John McLear
2ea8ea1275 restructure: move bin/ and tests/ to src/ 
Also add symlinks from the old `bin/` and `tests/` locations to avoid
breaking scripts and other tools.

Motivations:

  * Scripts and tests no longer have to do dubious things like:

        require('ep_etherpad-lite/node_modules/foo')

    to access packages installed as dependencies in
    `src/package.json`.

  * Plugins can access the backend test helper library in a non-hacky
    way:

        require('ep_etherpad-lite/tests/backend/common')

  * We can delete the top-level `package.json` without breaking our
    ability to lint the files in `bin/` and `tests/`.

    Deleting the top-level `package.json` has downsides: It will cause
    `npm` to print warnings whenever plugins are installed, npm will
    no longer be able to enforce a plugin's peer dependency on
    ep_etherpad-lite, and npm will keep deleting the
    `node_modules/ep_etherpad-lite` symlink that points to `../src`.

    But there are significant upsides to deleting the top-level
    `package.json`: It will drastically speed up plugin installation
    because `npm` doesn't have to recursively walk the dependencies in
    `src/package.json`. Also, deleting the top-level `package.json`
    avoids npm's horrible dependency hoisting behavior (where it moves
    stuff from `src/node_modules/` to the top-level `node_modules/`
    directory). Dependency hoisting causes numerous mysterious
    problems such as silent failures in `npm outdated` and `npm
    update`. Dependency hoisting also breaks plugins that do:

        require('ep_etherpad-lite/node_modules/foo')
 2021-02-04 17:15:08 -05:00
freddii
ea202e41f6 docs: fixed typos 2021-02-03 00:30:07 +01:00
John McLear
0cc8405e9c Bump minimum required Node.js version to 10.17.0 
This makes it possible to use fs.promises.
 2021-01-30 17:00:40 -05:00
Richard Hansen
edbe6d5387 Bump ueberDB to get speed improvements 2021-01-11 09:23:08 +00:00
Richard Hansen
a55dd73f2b Typo fix: checkPlugins.js -> checkPlugin.js 2021-01-08 19:02:55 -05:00
John McLear
998c80607e changelog: updated changelog 2020-12-23 16:18:28 -05:00
Richard Hansen
b82bf5c726 Drop support for Internet Explorer 2020-12-19 19:13:31 +00:00
Richard Hansen
1ad9b1efbb Update CHANGELOG.md 
Add new entries and refine wording/formatting of existing entries.
 2020-11-10 07:22:22 +00:00
John McLear
89667f1d4f
update changelog for release (#4475) 2020-11-08 10:03:22 +00:00
John McLear
66df0a572f
Security: FEATURE REMOVAL: Remove all plain text password logic and ui (#4178) 
This will be a breaking change for some people.  

We removed all internal password control logic.  If this affects you, you have two options:

1. Use a plugin for authentication and use session based pad access (recommended).
1. Use a plugin for password setting.

The reasoning for removing this feature is to reduce the overall security footprint of Etherpad.  It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own).
 2020-10-07 13:43:54 +01:00
Richard Hansen
34b232d658
Update CHANGELOG.md with the changes so far (#4393) 2020-10-06 09:16:21 +02:00
Richard Hansen
df7fa1fd41
changelog: Mention fix for authz bypass vulnerability in 1.8.6 (#4318) 2020-09-20 19:21:46 +00:00
Stefan Mueller
299bd962b6 Update version to 1.8.6 and add changelog informations 2020-09-18 21:14:19 +02:00
Stefan Mueller
5e03a3b0fe Set changelog informations for new version 2020-09-08 22:10:27 +02:00
John McLear
2a28ff8526
Changelog (#4181) 2020-07-19 23:48:31 +01:00
John McLear
e22574c40f
Changelog 2020-06-10 15:43:09 +01:00
muxator
4365598658 release: prepare for 1.8.4 2020-05-15 02:09:18 +02:00
muxator
5e6af287a5 release: prepare for 1.8.3 2020-04-27 03:24:23 +02:00
muxator
684f374ece runtime: require node >= 10.13.0 LTS 
At the moment, NodeJS 10.x is the lowest supported LTS version. NodeJS 8.x is no
longer supported upstream.

Implements #3835.
Planned in #3650.
 2020-04-09 04:43:37 +02:00
John McLear
babf67175c undomodule: disallow undoing "clear authorship colors" 
Clearing the authorship colors of a document with at least two authors, and then
undoing that action caused a disconnect from the pad.
This change disallows undoing clearing authorship colors in order to prevent
the problem from affecting users, and adds the relative test coverage.

This is a change of behaviour, and is documented in the changelog.

Fixes #2802 (sidestepping it).
 2020-04-08 15:20:37 +02:00
muxator
a817acbbcc security: when served over https, set the "secure" flag for "express_sid" and "language" cookie 
The mechanism used for determining if the application is being served over SSL
is wrapped by the "express-session" library for "express_sid", and manual for
the "language" cookie, but it's very similar in both cases.

The "secure" flag is set if one of these is true:

1. we are directly serving Etherpad over SSL using the native nodejs
   functionality, via the "ssl" options in settings.json

2. Etherpad is being served in plaintext by nodejs, but we are using a reverse
   proxy for terminating the SSL for us;
   In this case, the user has to be instructed to properly set trustProxy: true
   in settings.json, and the information wheter the application is over SSL or
   not will be extracted from the X-Forwarded-Proto HTTP header.

Please note that this will not be compatible with applications being served over
http and https at the same time.

The change on webaccess.js amends 009b61b338, which did not work when the SSL
termination was performed by a reverse proxy.

Reference for automatic "express_sid" configuration:
https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure

Closes #3561.
 2019-12-07 04:36:01 +01:00
ahmadine
0a0b90c4d0 referer: change referrer policy. Stop sending referers as much as possible 
Pull request with discussion: https://github.com/ether/etherpad-lite/pull/3636

What's already there:
* `meta name=referrer`: already done in 1.6.1:
  https://github.com/ether/etherpad-lite/pull/3044

  https://caniuse.com/#feat=referrer-policy
  https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta
  (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1])

The previous two commits (by @joelpurra) I backported in this batch:
* `<a rel=noreferrer>`: a pull request denied before:
  https://github.com/ether/etherpad-lite/pull/2498

  https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
  https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types
  (Firefox>=37, I can't find more info about support)

This commit adds the following:
* `<a rel="noopener">`: fixing a not-so-well-known way to extract referer
  https://html.spec.whatwg.org/multipage/links.html#link-type-noopener
  (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge)

* `Referrer-Policy: same-origin`: the last bastion of referrer security
  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
  (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge)

meta name=referrer wasn't enough. I happened to leak a few referrers with my
Firefox browser, though for some browsers it could have been enough.

[1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it
    most probably incompatible (but I may be wrong on that, they may support
    both, but I have no way to test it currently). The next Edge release will be
    based on Chromium, so for that the Chrome version applies.
 2019-11-25 00:05:40 +01:00
muxator
7e44dc569b changelog: mention the conditional user creation feature (now that it's fixed) 2019-11-02 23:37:59 +01:00
muxator
4f53b35bcb changelog: reflect the fact that next release will be 1.8-beta.1 
This change should have been part of 84479851fe.
 2019-11-02 23:37:01 +01:00
muxator
55fb10c685 release: prepare for 1.8.0 2019-10-19 03:42:13 +02:00
muxator
705cc6f5e4 Change everywhere the link to https://etherpad.org (it was plain http) 2019-04-16 00:54:54 +02:00