From 3dede0528c8533e818af10690447abe9fa501408 Mon Sep 17 00:00:00 2001
From: Marcel Klehr <mklehr@gmx.net>
Date: Thu, 11 Oct 2012 16:54:27 +0200
Subject: [PATCH 1/7] Fix issue caused by broken async update

Conflicts:

	src/package.json
---
 src/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/package.json b/src/package.json
index e2f9c7740..a4097dc2f 100644
--- a/src/package.json
+++ b/src/package.json
@@ -16,7 +16,7 @@
                       "resolve"             : "0.2.x",
                       "socket.io"           : "0.9.x",
                       "ueberDB"             : "0.1.7",
-                      "async"               : "0.1.x",
+                      "async"               : "0.1.22",
                       "express"             : "2.5.x",
                       "connect"             : "1.x",
                       "clean-css"           : "0.3.2",

From e0d4a16208cd2dae129630fdbccea4c0400dadd6 Mon Sep 17 00:00:00 2001
From: Dmitry <uvarov.dl@gmail.com>
Date: Thu, 11 Oct 2012 17:51:57 +0400
Subject: [PATCH 2/7] fixed variable name in handleMessageHook

the code would never work as expected with this type
---
 src/node/handler/PadMessageHandler.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js
index 10b259ae2..831acdbbf 100644
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@@ -178,7 +178,7 @@ exports.handleMessage = function(client, message)
     // handleMessage will be called, even if the client is not authorized
     hooks.aCallAll("handleMessage", { client: client, message: message }, function ( messages ) {
       _.each(messages, function(newMessage){
-        if ( newmessage === null ) {
+        if ( newMessage === null ) {
           dropMessage = true;
         }
       });

From 8ea3ee080f18d7a5d56fef6747fdb125b482bd53 Mon Sep 17 00:00:00 2001
From: Dmitry <uvarov.dl@gmail.com>
Date: Thu, 11 Oct 2012 18:07:45 +0400
Subject: [PATCH 3/7] fix for error handling in callback code

The callback code does not follow error handling guidelines, thus always
receiving NULL instead of results array.
---
 src/node/handler/PadMessageHandler.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js
index 831acdbbf..b889a8a03 100644
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@@ -176,7 +176,9 @@ exports.handleMessage = function(client, message)
     
     // Call handleMessage hook. If a plugin returns null, the message will be dropped. Note that for all messages 
     // handleMessage will be called, even if the client is not authorized
-    hooks.aCallAll("handleMessage", { client: client, message: message }, function ( messages ) {
+    hooks.aCallAll("handleMessage", { client: client, message: message }, function ( err, messages ) {
+      if(ERR(err, callback)) return;
+      
       _.each(messages, function(newMessage){
         if ( newMessage === null ) {
           dropMessage = true;

From e4841212a6d798e175c706676621d475ed2174c3 Mon Sep 17 00:00:00 2001
From: Richard Braakman <richard.braakman@jollamobile.com>
Date: Tue, 2 Oct 2012 23:27:30 +0300
Subject: [PATCH 4/7] USERINFO_UPDATE: construct a new message for broadcast

The server was reusing the client's message when broadcasting userinfo
updates. This would allow a malicious client to insert arbitrary fields
into a message that the other clients would trust as coming from the
server. For example, adding "disconnect" or renaming other authors.

This commit fixes it by having the server construct a new message with
known fields before broadcasting.
---
 src/node/handler/PadMessageHandler.js | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js
index b889a8a03..a30e4e818 100644
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@@ -417,22 +417,34 @@ function handleUserInfoUpdate(client, message)
   authorManager.setAuthorName(author, message.data.userInfo.name);
   
   var padId = sessioninfos[client.id].padId;
+
+  var infoMsg = {
+    type: "COLLABROOM",
+    data: {
+      // The Client doesn't know about USERINFO_UPDATE, use USER_NEWINFO
+      type: "USER_NEWINFO",
+      userInfo: {
+        userId: author,
+        name: message.data.userInfo.name,
+        colorId: message.data.userInfo.colorId,
+        userAgent: "Anonymous",
+        ip: "127.0.0.1",
+      }
+    }
+  };
   
   //set a null name, when there is no name set. cause the client wants it null
-  if(message.data.userInfo.name == null)
+  if(infoMsg.data.userInfo.name == null)
   {
-    message.data.userInfo.name = null;
+    infoMsg.data.userInfo.name = null;
   }
   
-  //The Client don't know about a USERINFO_UPDATE, it can handle only new user_newinfo, so change the message type
-  message.data.type = "USER_NEWINFO";
-  
   //Send the other clients on the pad the update message
   for(var i in pad2sessions[padId])
   {
     if(pad2sessions[padId][i] != client.id)
     {
-      socketio.sockets.sockets[pad2sessions[padId][i]].json.send(message);
+      socketio.sockets.sockets[pad2sessions[padId][i]].json.send(infoMsg);
     }
   }
 }

From 12bd520846ee3136a8808d8c6b67b757d9dbeb60 Mon Sep 17 00:00:00 2001
From: johnyma22 <john@mclear.co.uk>
Date: Tue, 30 Oct 2012 13:51:29 +0000
Subject: [PATCH 5/7] bump version #

---
 src/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/package.json b/src/package.json
index c3c4968a6..67e402385 100644
--- a/src/package.json
+++ b/src/package.json
@@ -44,5 +44,5 @@
   "engines"        : { "node" : ">=0.6.0",
                        "npm"  : ">=1.0"
                      }, 
-  "version"        : "1.1.4"
+  "version"        : "1.1.5"
 }

From de1c271776eb9ab5efad792fd905830b1edb941b Mon Sep 17 00:00:00 2001
From: johnyma22 <john@mclear.co.uk>
Date: Tue, 30 Oct 2012 13:54:49 +0000
Subject: [PATCH 6/7] CHANGELOG stuff

---
 CHANGELOG.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5810ed255..5d8875ae1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,11 @@
+# v1.1.5
+* Many bugfixes including some stability and security issues
+* Support for PageView as a plugin
+* Upgrade to Express V3
+* Better support for smaller screen sizes
+* Various dependency updates
+* Improved Docs
+
 # v1.1
 * Introduced Plugin framework
 * Many bugfixes

From 9cec0391e2c97e83915e7c82f0bdebb7f8c417fe Mon Sep 17 00:00:00 2001
From: Marcel Klehr <mklehr@gmx.net>
Date: Wed, 31 Oct 2012 16:15:12 +0100
Subject: [PATCH 7/7] Improve changelog v1.1.5

---
 CHANGELOG.md | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5d8875ae1..613cd8968 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,10 +1,20 @@
 # v1.1.5
-* Many bugfixes including some stability and security issues
-* Support for PageView as a plugin
-* Upgrade to Express V3
-* Better support for smaller screen sizes
-* Various dependency updates
-* Improved Docs
+ * We updated to express v3 (please [make sure](https://github.com/visionmedia/express/wiki/Migrating-from-2.x-to-3.x) your plugin works under express v3)
+ * `userColor` URL parameter which sets the initial author color
+ * Hooks for "padCreate", "padRemove", "padUpdate" and "padLoad" events
+ * Security patches concerning the handling of messages originating from clients
+ * Our database abstraction layer now natively supports couchDB, levelDB, mongoDB, postgres, and redis!
+ * We now provide a script helping you to migrate from dirtyDB to MySQL
+ * Support running Etherpad Lite behind IIS, using [iisnode](https://github.com/tjanczuk/iisnode/wiki)
+ * LibreJS Licensing information in headers of HTML templates
+ * Default port number to PORT env var, if port isn't specified in settings
+ * Fix for `convert.js`
+ * Raise upper char limit in chat to 999 characters
+ * Fixes for mobile layout
+ * Fixes for usage behind reverse proxy
+ * Improved documentation
+ * Fixed some opera style bugs
+ * Update npm and fix some bugs, this introduces
 
 # v1.1
 * Introduced Plugin framework