Before, a malicious user could bypass authorization restrictions
imposed by the authorize hook:
* Step 1: Fetch any resource that the malicious user is authorized to
access (e.g., static content).
* Step 2: Use the signed express_sid cookie generated in step 1 to
create a socket.io connection.
* Step 3: Perform the CLIENT_READY handshake for the desired pad.
* Step 4: Profit!
Now the authorization decision made by the authorize hook is
propagated to SecurityManager so that it can approve or reject
socket.io messages as appropriate.
This also sets up future support for per-user read-only and
modify-only (no create) authorization levels.
Just final bits of test coverage for import/export of LibreOffice. It turns out Travis by default installs an old LO that doesn't support PDF import. To remedy that I use the LO PPA and also strict install the PDF import support.
Still to do in a future date is check LO exported contents includes expected strings, for now it just checks output length looks sane.
1. Introduce contentcollector.js backend tests
1. Fix issue with OL LI items not being properly numbered after import
1. Fix issue with nested OL LI items being improperly numbered on export
1. Fix issue with new lines not being introduced after lists in on import #3961
1. Sanitize HTML on the way in (import)
1. Fix ExportHTML CSS because it needs to support OL > LI > OL not OL > OL [The latter being the correct format]
1. Fix backend tests.
With commit 44186ed (tests: remove loadSettings.js for backend tests.)
the loading of the settings in backendtests changed. One test spec
was not updated.
The old loadSettings.js was a way of customizing settings upon load, because
the Settings module did not offer this functionality. But it did not work well,
since all the default settings were not loaded.
Let's get rid of loadSettings.js for the bulk of the tests (the "backend"
specs). For the "container" specs, we'll keep it in place until/if we rewrite
Settings.js making it less brittle.
This is allowed starting from fc661ee13a ("core: allow URL parameters and POST
bodies to co-exist"), which landed in Etherpad 1.8.0. For the discussion, see
issue #3568.
Note by muxator:
This commit introduced a copied & modified version of the testing files
loadSettings.js and pad.js.
It's Christmas night, and we want to shipt this feature, so I merged it anyway,
adding a note in both the original and copied files so that hopefully someone
in the distant future is going to merge them back again.
In the following commits Pierre is going to copy & modify some files.
This commit prepares the source files in order to minimize those differences,
so we can re-unify them as soon as possible.
No functional changes.
This commit replaces an old test with a new, different one.
Reasons for removing the old test:
- the old list test was introduced in cadb83a with an explicit attempt to import
an invalid HTML and see if it could recover from it
- in 5967e08 the code base finally managed to export a meaningful HTML (but we
do not know if other bugs were introduced in pursuing this)
- the old test seemed to aim at attaining resiliency, but correctness should be
addressed before that
Modified by muxator. See discussion in:
https://github.com/ether/etherpad-lite/pull/3268#issuecomment-411185713