Commit Graph

5826 Commits (0d51e7157849fc50d9447d78b30fe48bb22c6835)

Author SHA1 Message Date
muxator 840b4a0988 contentcollector: backed out changeset 3292429ab3
That commit (merged recently with PR #3622) was part of an effort to fix #3620,
but introduced a very bad bug that broke the cursor behaviour when pressing
space, making the program unusable.

This commit completes the revert of PR #3622 and fixes #3728.

--HG--
branch : revert-3622
2020-03-19 02:53:41 +01:00
muxator c382ba35c9 tests: backed out changeset 155a895604
This was a preparatory commit for 3292429ab3 (which introduced a bug, see
issue #3728) and modified the tests for issue #3620.

Commit 155a895604 per se did not introduce any bugs, but was difficult to
inspect because of its size. For this, the corresponding PR (#3622) should not
have been accepted.

--HG--
branch : revert-3622
2020-03-19 02:53:41 +01:00
John McLear 8261229323 pass file ending 2020-03-17 13:08:46 +00:00
Tudor Constantin 28102d8e1f ImportHandler: importing files with unknown extension work again when allowUnknownFileEnds is true
By specification, when settings.allowUnknownFileEnds is true and the user tries
to import a file with an unknown extension (this includes no extension),
Etherpad tries to import it as txt.

This broke in Etherpad 1.8.0, that abruptly terminates the processing with an
UnhandledPromiseRejectionWarning.

This patch restores the intended behaviour, and allows to import as text a file
with an unknown extension (on no extension).

In order to catch the UnhandledPromiseRejectionWarning we had to use
fsp_rename(), which is declared earlier in the code and is promised based
instead of fs.rename(), which is callback based.

Fixes #3710.
2020-03-17 12:41:18 +01:00
John McLear a0579c90db APIHandler: return HTTP/404 when non existing API methods are invoked
Before this change, invoking a non existing API method would return an HTTP/200
response with a JSON payload {"code":3,"message":"no such function"}.

This commit changes the HTTP status code to 404, leaving the payload as-is.

Before:
   curl --verbose "http://localhost:9001/api/1/notExisting?apikey=ABCDEF"
  < HTTP/1.1 200 OK
  < X-Powered-By: Express
  [...]
  {"code":3,"message":"no such function","data":null}

After:
   curl --verbose "http://localhost:9001/api/1/notExisting?apikey=ABCDEF"

   < HTTP/1.1 404 OK
   < X-Powered-By: Express
   [...]
   {"code":3,"message":"no such function","data":null}

Fixes #3546.
2020-03-15 09:26:44 +00:00
Sebastian Castro 0d61d6bb13 ui: on mobile, move the right toolbar to the bottom and make the top toolbar scrollable
Before this change there was always a single toolbar on the top, with both
Colibris and the legacy skin. When the screen size was reduced:

- the legacy skin would compact the icons in the toolbar (this was fine,
  indeed);
- Colibris would hide some formatting icons. This would hamper the functionality
  for mobile users.

After this change both the skins work in the same way, which is the following:
- when the screen gets smaller the right toolbar (the one with "export",
  "timeslider", and other buttons) goes to the bottom of the screen;
- when there are many icons, the toolbar keeps all of them, and to see them the
  user must drag the toolbar.

This behaviour will probably be changed before release, opting instead to show
a "+" button when there is an overflow, since this appears to be more
discoverable (see the discusison in #3697).

Do not tested with custom toolbar elements (toolbar.left and toolbar.right
configuration items in settings.json).

Fixes #3697.
2020-03-12 18:47:12 +01:00
translatewiki.net 6323f59c3a Localisation updates from https://translatewiki.net. 2020-03-16 15:41:54 +01:00
Tom Briles 3292429ab3 trim text entries upon import. Fixes: #3620 2020-03-15 11:35:08 +00:00
Tom Briles 155a895604 Test for Issue-3620: space in the HTML for an unordered list creates an extra list item 2020-03-15 11:35:08 +00:00
John McLear 467fc11b72 fix 2020-03-14 21:58:26 +01:00
translatewiki.net bb868beb9c Localisation updates from https://translatewiki.net. 2020-02-24 15:39:25 +01:00
translatewiki.net 5773e6cea0 Localisation updates from https://translatewiki.net. 2020-02-20 15:58:56 +01:00
John McLear 74fa47e295
Pretty sure you need elevated command prompt in windows..
To do anything nowadays.
2020-02-14 23:36:13 +00:00
translatewiki.net 7950d336eb Localisation updates from https://translatewiki.net. 2020-02-10 14:50:52 +01:00
translatewiki.net ffcf22e4ac Localisation updates from https://translatewiki.net. 2020-01-30 15:49:13 +01:00
translatewiki.net de3a677df5 Localisation updates from https://translatewiki.net. 2020-01-20 11:32:11 +01:00
translatewiki.net bac58a7391 Localisation updates from https://translatewiki.net. 2020-01-13 16:08:24 +01:00
Sebastian Castro 6d4ea36646 skin colibris: Fix table of content with ep_resizable_bar 2020-01-03 15:35:12 -03:00
muxator 3b24c97d1e db/SecurityManager.js: accessing without session a public group pad no longer causes a crash
Steps to reproduce (via HTTP API):
1. create a group via createGroup()
2. create a group pad inside that group via createGroupPad()
3. make that pad public calling setPublicStatus(true)
4. access the pad via a clean web browser (with no sessions)
5. UnhandledPromiseRejectionWarning: apierror: sessionID does not exist

This was due to an overlook in 769933786cea: "apierror: sessionID does not
exist" may be a legal condition if we are also visiting a public pad. The
function that could throw that error was sessionManager.getSessionInfo(), and
thus it needed to be inside the try...catch block.

Please note that calling getText() on the pad always return the pad contents,
*even for non-public pads*, because the API bypasses the security checks and
directly talks to the DB layer.

Fixes #3600.
2019-12-26 00:30:43 +01:00
Pierre Prinetti 0b3cf7cc96 docker: Add Run with volume example
Supersedes https://github.com/ether/etherpad-lite/pull/3631

Co-authored-by: RaymondCavallaro <RaymondCavallaro@users.noreply.github.com>
2019-12-25 00:48:30 +01:00
Pierre Prinetti 92f07a544b ci: test basic application response of the docker build
Note by muxator:
This commit introduced a copied & modified version of the testing files
loadSettings.js and pad.js.

It's Christmas night, and we want to shipt this feature, so I merged it anyway,
adding a note in both the original and copied files so that hopefully someone
in the distant future is going to merge them back again.
2019-12-25 00:28:38 +01:00
Pierre Prinetti 69fd393708 ci: test the Dockerfile
Add a `Test Dockerfile` job to Travis that checks the `docker build` exit
code.
More useful tests can be added later.
2019-12-25 00:28:38 +01:00
muxator 5b4bca2c6e ci: move the existing test under a jobs section, so we can add others later
In the next commit Pierre will start adding tests for the docker build, and this
lays out the structure for doing that.
No functional changes.

The relevant TravisCI docs that motivates moving under a jobs section is
https://docs.travis-ci.com/user/build-matrix/

> There are two ways to specify multiple parallel jobs (what we call the build
> matrix) with a single .travis.yml configuration file:
>
> * combine a language-and-environment dependent set of configuration options to
>   automatically create a matrix of all possible combinations. This is called
>   matrix expansion. For example, the following configuration produces a build
>   matrix that expands to 8 individual (2 * 2 * 2) jobs
>   [...]
>
> * specify the exact combination of configurations you want in jobs.include.
>   For example, if not all of those combinations are interesting, you can
>   specify just the combinations you want
2019-12-25 00:28:38 +01:00
muxator bf0bb58c70 ci: no need to include java
The dependency on java was introduced in 2012 (c021cf52d8) to start
Sauce-Connect from sauce labs.

Probably at the time it was a runtime dependency, but it is no longer the case
today. It is possible that java was already not needed when db003a1460 changed
from downloading Sauce-Connect-latest.zip to sc-latest-linux.tar.gz.

Moreover, I am quite sure tests/frontend/travis/sauce_tunnel.sh no longer works
today, because tests/frontend/travis/sauce_tunnel.sh downloads from an url that
gives HTTP/404 now: sc-latest-linux.tar.gz if no longer a valid file name, we
would need to explicitly download a specific version.
2019-12-25 00:28:38 +01:00
muxator cffa3e0a5d ci: trivial reformatting in preparation for next commits.
This is just needed to slim up the diffs for the next commits.
Non functional changes.
2019-12-25 00:28:38 +01:00
muxator fe0cf4bdb0 tests: reorganize some files, because we are going to copy & paste them.
In the following commits Pierre is going to copy & modify some files.
This commit prepares the source files in order to minimize those differences,
so we can re-unify them as soon as possible.

No functional changes.
2019-12-25 00:28:38 +01:00
muxator 5bcc5a3be0 windows: bump the node version included in the prebuilt package: 10.16.3 -> 10.18.0
This is the latest version as of today.
2019-12-18 02:00:08 +01:00
muxator 140d5c4b41 dependencies: upgrade npm 6.13.1 -> 6.13.4
This fixes some security vulnerabilites, among them an arbitrary file overwrite.


The output of `npm audit` goes from this:
  found 17 vulnerabilities (15 low, 2 high) in 13344 scanned packages
    run `npm audit fix` to fix 6 of them.
    1 vulnerability requires semver-major dependency updates.
    10 vulnerabilities require manual review. See the full report for details.

To this:
  found 5 vulnerabilities (3 low, 2 high) in 13370 scanned packages
    1 vulnerability requires semver-major dependency updates.
    4 vulnerabilities require manual review. See the full report for details.


Changelog:
- https://github.com/npm/cli/releases


6.13.4 (2019-12-11)
    BUGFIXES
    320ac9aee npm/bin-links#12 npm/gentle-fs#7 Do not remove global bin/man links inappropriately (@isaacs)

    DEPENDENCIES
    52fd21061 gentle-fs@2.3.0 (@isaacs)
    d06f5c0b0 bin-links@1.1.6 (@isaacs)

6.13.3 (2019-12-09)
    DEPENDENCIES
    19ce061a2 bin-links@1.1.5 Properly normalize, sanitize, and verify bin entries in package.json.
    59c836aae npm-packlist@1.4.7
    fb4ecd7d2 pacote@9.5.11
        5f33040 #476 npm/pacote#22 npm/pacote#14 fix: Do not drop perms in git when not root (isaacs, @darcyclarke)
        6f229f7 sanitize and normalize package bin field (isaacs)
    1743cb339 read-package-json@2.1.1

6.13.2 (2019-12-03)
    BUG FIXES
    4429645b3 #546 fix docs target typo (@richardlau)
    867642942 #142 fix(packageRelativePath): fix 'where' for file deps (@larsgw)
    d480f2c17 #527 Revert "windows: Add preliminary WSL support for npm and npx" (@craigloewen-msft)
    e4b97962e #504 remove unnecessary package.json read when reading shrinkwrap (@Lighting-Jack)
    1c65d26ac #501 fix(fund): open url for string shorthand (@ruyadorno)
    ae7afe565 #263 Don't log error message if git tagging is disabled (@woppa684)
    4c1b16f6a #182 Warn the user that it is uninstalling npm-install (@Hoidberg)
2019-12-18 01:17:35 +01:00
translatewiki.net b6105d8c75 Localisation updates from https://translatewiki.net. 2019-12-16 15:54:40 +01:00
muxator 70bc71c0c3 skins: make "colibris" the default skin for new installations
Colibris skin was first introduced in 1.7.5 and received some bugfixes in 1.8.0.
It is now time to make it the default for new installs.
2019-12-08 00:32:03 +01:00
muxator 1dfd52bcce release: prepare for 1.8.0 2019-12-07 18:55:07 +01:00
muxator a817acbbcc security: when served over https, set the "secure" flag for "express_sid" and "language" cookie
The mechanism used for determining if the application is being served over SSL
is wrapped by the "express-session" library for "express_sid", and manual for
the "language" cookie, but it's very similar in both cases.

The "secure" flag is set if one of these is true:

1. we are directly serving Etherpad over SSL using the native nodejs
   functionality, via the "ssl" options in settings.json

2. Etherpad is being served in plaintext by nodejs, but we are using a reverse
   proxy for terminating the SSL for us;
   In this case, the user has to be instructed to properly set trustProxy: true
   in settings.json, and the information wheter the application is over SSL or
   not will be extracted from the X-Forwarded-Proto HTTP header.

Please note that this will not be compatible with applications being served over
http and https at the same time.

The change on webaccess.js amends 009b61b338, which did not work when the SSL
termination was performed by a reverse proxy.

Reference for automatic "express_sid" configuration:
https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure

Closes #3561.
2019-12-07 04:36:01 +01:00
muxator b82816c774 express: reformat session configuration in preparation for the next commit
No functional changes.
2019-12-07 04:22:54 +01:00
muxator a51684b022 security: stop setting the "io" cookie
The "io" cookie is created by socket.io, and its purpose is to offer an handle
to perform load balancing with session stickiness when the library falls back to
long polling or below.

In Etherpad's case, if an operator needs to load balance, he can use the
"express_sid" cookie, and thus "io" is of no use.

Moreover, socket.io API does not offer a way of setting the "secure" flag on it,
and thus is a liability.

Let's simply nuke it.

References:
  https://socket.io/docs/using-multiple-nodes/#Sticky-load-balancing
  https://github.com/socketio/socket.io/issues/2276#issuecomment-147184662 (not totally true, actually, see above)
2019-12-07 04:20:12 +01:00
IRobL 5e44a94d2a Adds a badge/ link to the dockerhub path where this image is published 2019-12-05 21:09:37 +01:00
Pierre Prinetti 50142f6580 docker: Set the home directory for the user
Before this change, the docker user had home in a directory it had no
permissions on. The inability of creating a cache directory in `$HOME`
prevented npm to work properly.

Additionally, the `node_modules` in the base working directory had its
owner set to root, preventing further changes.

With this change, the `etherpad` user has a home directory.
Additionally, `npm i` is now run by `etherpad` rather than the root
user; this way, it is possible to dynamically change the `node_modules`
content in day 2 operations.

Note that while switching to the `useradd` builtin, a conflict was
discovered with the GID 65534 that was previously used. This change is
changing the `etherpad` user's UID to 5001 to avoid said conflict. As a
consequence, a `chmod -R 5001:5001` must be run prior to attaching
volumes created from previous Etherpad versions.
2019-12-02 22:14:11 +01:00
muxator 0a86024797 startup scripts: get rid of $* and replace it with properly quoted "$@"
In shell scripts an unquoted $* is rarely useful, for example because it breaks
in presence of file names with spaces.

References:
- https://google.github.io/styleguide/shell.xml
  Use "$@" unless you have a specific reason to use $*.

- https://unix.stackexchange.com/questions/41571/what-is-the-difference-between-and#94200
  Short answer: use "$@" (note the double quotes). The other forms are very
  rarely useful.
2019-12-01 01:52:32 +01:00
muxator 695c2d2e84 pad.html: fix regression introduced with 5879037ddc.
Revision 5879037ddc fixed a security bug, but introduced a regression, where
on page load the js console showed:

   ReferenceError: require is not defined

The reason was that the fix called require('../static/js/pad_utils') to load a
module at a time when require() was still not defined.
This change anticipates the loading of require-kernel, and manually loads
pad_utils.

The fix proposed in #3670 by aaron-costello, which seemed to do the right
thing, anticipating the configuration phase of require-kernel, did not work.
It had to be declined and replaced by this (less elegant) change.
2019-11-30 20:32:39 +01:00
muxator ba38ed3bba dependencies: upgrade npm 6.12.1 -> 6.13.1
This upgrade solves the high-severity vulnerabilities regarding
https-proxy-agent that were still present in 8e6bca456f.

The output of `npm audit` goes from this:
  found 29 vulnerabilities (3 low, 26 high) in 13338 scanned packages
    run `npm audit fix` to fix 4 of them.
    1 vulnerability requires semver-major dependency updates.
    24 vulnerabilities require manual review. See the full report for details.

To this:
found 5 vulnerabilities (3 low, 2 high) in 13338 scanned packages
  1 vulnerability requires semver-major dependency updates.
  4 vulnerabilities require manual review. See the full report for details.


Changelog:
- https://github.com/npm/cli/releases

6.13.1 (2019-11-18)
    BUG FIXES
    938d6124d #472 fix(fund): support funding string shorthand (@ruyadorno)
    b49c5535b #471 should not publish tap-snapshot folder (@ruyadorno)
    3471d5200 #253 Add preliminary WSL support for npm and npx (@infinnie)
    3ef295f23 #486 print quick audit report for human output (@isaacs)

    TESTING
    dbbf977ac #278 added workflow to trigger and run benchmarks (@mikemimik)
    b4f5e3825 #457 feat(docs): adding tests and updating docs to reflect changes in registry teams API. (@nomadtechie)
    454c7dd60 #456 fix git configs for git 2.23 and above (@isaacs)

    DEPENDENCIES
    661d86cd2 make-fetch-happen@5.0.2 (@claudiahdz)

6.13.0 (2019-11-05)
    NEW FEATURES
    4414b06d9 #273 add fund command (@ruyadorno)

    BUG FIXES
    e4455409f #281 delete ps1 files on package removal (@NoDocCat)
    cd14d4701 #279 update supported node list to remove v6.0, v6.1, v9.0 - v9.2 (@ljharb)

    DEPENDENCIES
    a37296b20 pacote@9.5.9
    d3cb3abe8 read-cmd-shim@1.0.5

    TESTING
    688cd97be #272 use github actions for CI (@JasonEtco)
    9a2d8af84 #240 Clean up some flakiness and inconsistency (@isaacs)
2019-11-25 02:04:39 +01:00
ahmadine 0a0b90c4d0 referer: change referrer policy. Stop sending referers as much as possible
Pull request with discussion: https://github.com/ether/etherpad-lite/pull/3636

What's already there:
* `meta name=referrer`: already done in 1.6.1:
  https://github.com/ether/etherpad-lite/pull/3044

  https://caniuse.com/#feat=referrer-policy
  https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta
  (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1])

The previous two commits (by @joelpurra) I backported in this batch:
* `<a rel=noreferrer>`: a pull request denied before:
  https://github.com/ether/etherpad-lite/pull/2498

  https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
  https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types
  (Firefox>=37, I can't find more info about support)

This commit adds the following:
* `<a rel="noopener">`: fixing a not-so-well-known way to extract referer
  https://html.spec.whatwg.org/multipage/links.html#link-type-noopener
  (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge)

* `Referrer-Policy: same-origin`: the last bastion of referrer security
  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
  (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge)

meta name=referrer wasn't enough. I happened to leak a few referrers with my
Firefox browser, though for some browsers it could have been enough.

[1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it
    most probably incompatible (but I may be wrong on that, they may support
    both, but I have no way to test it currently). The next Edge release will be
    based on Chromium, so for that the Chrome version applies.
2019-11-25 00:05:40 +01:00
Joel Purra 2a44c83250 referer: exported html pads no longer leak URL/location through referer header
Exported HTML can, when loaded from disk or an online server, also leak the
location. Applying the `rel="noreferrer"` HTML5 standard mitigate the problem
for compatible browsers.

https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer

This commit was originally part of https://github.com/ether/etherpad-lite/pull/2498
2019-11-25 00:05:40 +01:00
Joel Purra f314460b7c referer: HTML5 browsers no longer leak pad through HTTP referer header
Added `rel="noreferrer"` to automatically generated links in the main pad window
as well as the chat window.

`rel="noreferrer"` is part of the HTML5 standard. While browser support isn't
100%, it's better than nothing. Future alternative solutions with wider browser
support, such as intermediary redirect pages, are unaffected by this change.

https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer

This commit was originally part of https://github.com/ether/etherpad-lite/pull/2498
2019-11-25 00:05:40 +01:00
translatewiki.net 14d81ecef8 Localisation updates from https://translatewiki.net. 2019-11-18 18:11:48 +01:00
muxator 30fd53f1fd docker: move docker/settings.json to /settings.json.docker 2019-11-08 23:50:50 +01:00
Pierre Prinetti dc15f4a43c docker: build from the local working directory
With this change, the Dockerfile builds the Docker image from the code
checked out in the local filesystem, instead of downloading a revision
from git.

Implements #3657
2019-11-08 22:56:30 +01:00
muxator c008ee36bd docker: incorporate the docker docs into the official documentation
This also means increasing the indentation level.
2019-11-08 23:17:34 +01:00
muxator 8c74e72c8c docker: minimal changes to the documentation 2019-11-08 23:15:03 +01:00
muxator bedcb8e975 docker: explicitly set both user and group when running as unprivileged user.
This change amends eea99fe507.

https://docs.docker.com/engine/reference/builder/#user
  USER <user>[:<group>] or
  USER <UID>[:<GID>]

  The USER instruction sets the user name (or UID) and optionally the user group
  (or GID) to use when running the image and for any RUN, CMD and ENTRYPOINT
  instructions that follow it in the Dockerfile.
2019-11-09 00:23:55 +01:00
muxator dd164decbd docker: typos in the readme 2019-11-07 23:02:34 +01:00
muxator 7e44dc569b changelog: mention the conditional user creation feature (now that it's fixed) 2019-11-02 23:37:59 +01:00