Commit Graph

6095 Commits (4060db0daff35a20472096500a46a311cd192a0a)

Author SHA1 Message Date
Richard Hansen 4060db0daf SessionStore: Reduce unnecessary vertical space 2020-09-21 23:21:05 +01:00
Richard Hansen 5fb6bc1938 SessionStore: Use single quotes everywhere 2020-09-21 23:21:05 +01:00
Richard Hansen 012449101d SessionStore: Use `const` instead of `var` 2020-09-21 23:21:05 +01:00
Richard Hansen 5d2c438e3e SessionStore: Use an arrow function to avoid `this` juggling 2020-09-21 23:21:05 +01:00
Richard Hansen de98852da6 SessionStore: Delete unused methods `all`, `clear`, `length` 2020-09-21 23:21:05 +01:00
Richard Hansen 346111250e utils: Fix promise creation accounting bug in promises.timesLimit
Before this change, `promises.timesLimit()` created `concurrency - 1`
too many promises. The only users of this function use a concurrency
of 500, so this meant that 499 extra promises were created each time
it was used. The bug didn't affect correctness, but it did result in a
large number of unnecessary database operations whenever a pad was
deleted. This change fixes that bug.

Also:
  * Convert the function to async and have it resolve after all of the
    created promises are resolved.
  * Reject concurrency of 0 (unless total is 0).
  * Document the function.
  * Add tests.
2020-09-21 23:16:32 +01:00
translatewiki.net 65942691b6 Localisation updates from https://translatewiki.net. 2020-09-21 16:02:42 +02:00
Stefan Mueller 91f25b51ff Merge remote-tracking branch 'origin/release/1.8.6' into develop 2020-09-20 21:23:14 +02:00
Richard Hansen df7fa1fd41
changelog: Mention fix for authz bypass vulnerability in 1.8.6 (#4318) 2020-09-20 19:21:46 +00:00
Richard Hansen 3886e95c83 SessionManager: Fix session expiration check
This bug was introduced in 8b0baa9679.
2020-09-19 21:10:36 +01:00
Sebastian Castro 12bd617f51
css: Improve toolbar responsiveness for small screen (#4322)
Until now, the "mobile layout" (with right toolbar on bottom of the screen) was displayed only when screen was smaller than 800px. It made the toolbar break for screen about 1000px when a lot of plugins are in the toolbar.
Now instead, we detect with javascript when the toolbar icons overflow the natural space available, and we switch in "mobile layout" in such case
2020-09-19 19:09:30 +01:00
Stefan Mueller 299bd962b6 Update version to 1.8.6 and add changelog informations 2020-09-18 21:14:19 +02:00
webzwo0i 85f52a2f23
tests: Plugin backend tests in ci (#4314) 2020-09-18 16:28:42 +01:00
translatewiki.net dfe0368910 Localisation updates from https://translatewiki.net. 2020-09-17 16:40:29 +02:00
Joas Souza 8c04fe8775
Feature: Copy Pad without history (#4295)
New feature to copy a pad without copying entire history.  This is useful to perform a low CPU intensive operation while still copying current pad state.
2020-09-16 19:24:09 +01:00
Richard Hansen b80a37173e security: Fix authorization bypass vulnerability
Before, a malicious user could bypass authorization restrictions
imposed by the authorize hook:

 * Step 1: Fetch any resource that the malicious user is authorized to
   access (e.g., static content).
 * Step 2: Use the signed express_sid cookie generated in step 1 to
   create a socket.io connection.
 * Step 3: Perform the CLIENT_READY handshake for the desired pad.
 * Step 4: Profit!

Now the authorization decision made by the authorize hook is
propagated to SecurityManager so that it can approve or reject
socket.io messages as appropriate.

This also sets up future support for per-user read-only and
modify-only (no create) authorization levels.
2020-09-15 21:40:25 +01:00
Richard Hansen ae1142a799 tests: Use wtfnode to determine why mocha isn't exiting
If mocha hangs after running the tests, hit Ctrl-C and wtfnode will
print open files, open sockets, running timers, and running intervals.
Adding an `after` function that closes/stops all of those things will
ensure that mocha exits when it finishes running the tests.
2020-09-15 21:22:52 +01:00
Richard Hansen e20731cb12 webaccess: Fix syntax error (missing close curly brace)
Somehow I introduced this bug in commit
2bc26b8ef8 but never noticed.
2020-09-15 21:21:13 +01:00
Richard Hansen d2773609d1 PadMessageHandler: Fix assignment to const variable 2020-09-15 20:04:33 +01:00
Richard Hansen 5ac5b65aff Pad: Disable toolbar and import/export when reconnecting 2020-09-15 20:04:17 +01:00
Richard Hansen 6f28e415ec PadMessageHandler: Move code out of unnecessary closure (again) 2020-09-15 20:04:01 +01:00
Richard Hansen 9e6d3f3f63 tests: Add authentication, authorization bypass tests 2020-09-15 20:03:30 +01:00
Richard Hansen 80639fdc6a webaccess: Pass `settings.users` to the authenticate hook
Authentication plugins almost always want to read and modify
`settings.users`. The settings can already be accessed in a few other
ways, but this is much more convenient.
2020-09-15 19:26:24 +01:00
Richard Hansen 250e932f59 webaccess: Enforce creation of `req.session.user` by authn plugins
The authorization logic determines whether the user has already
successfully authenticated by looking to see if `req.session.user`
exists. If an authentication plugin says that it successfully
authenticated the user but it did not create `req.session.user` then
authentication will re-run for every access, and authorization plugins
will be unable to determine whether the user has been authenticated.
Return a 500 internal server error to prevent these problems.
2020-09-15 19:26:14 +01:00
Richard Hansen 362b567276 docs: Revise documentation for handleMessage and handleMessageSecurity 2020-09-15 19:25:04 +01:00
Richard Hansen 80c0e2487d PadMessageHandler: Move code out of unnecessary closure
Also simplify the logic.
2020-09-15 19:23:48 +01:00
Richard Hansen a261fdf430 i18n: Improve error logging when language JSON read fails
Before it only logged an error like this:

    SyntaxError: Unexpected string in JSON at position XYZ

Now it also logs the filename, making it easier to figure out where
the bad data is:

    failed to read file /path/to/etherpad-lite/src/locales/en.json: SyntaxError: Unexpected string in JSON at position XYZ
2020-09-15 15:32:43 +01:00
John McLear 38352c1f8c Merge branch 'develop' of github.com:ether/etherpad-lite into develop 2020-09-15 13:15:53 +01:00
John McLear 9f3cc7aae0 deps: update UeberDB to fix issue with Postgres which was causing 1.8.5 to fail on PG sites. 2020-09-15 13:15:28 +01:00
Richard Hansen 2bc26b8ef8 webaccess: Factor out common code 2020-09-15 10:44:23 +01:00
Richard Hansen f9087fabd6 security: Check authentication in SecurityManager checkAccess
In addition to providing defense in depth, this change makes it easier
to implement future enhancements such as support for read-only users.
2020-09-15 10:43:23 +01:00
Richard Hansen 259b8d891d socketio: Use Error objects for socket.io connection errors
socket.io expects Error objects, otherwise it won't propagate the
message to the client.

Also do some cleanup.
2020-09-15 10:42:25 +01:00
Richard Hansen 0a836ced29 css: Line up line numbers with their rows
Tested with both `no-skin` and `colibris`.
2020-09-15 09:29:09 +01:00
webzwo0i ec6b983917
packaging: remove pad_docbar.js (#4286)
package to reduce http requests: nice-select,
pad_automatic_reconnect, skin_variants, scroll, caretPosition

rename unorm in tar.json so it can be included
2020-09-13 19:01:28 +01:00
Richard Hansen d0a16d23cb security: Fix authentication bypass vulnerability
Before, anyone who could create a socket.io connection to Etherpad
could read, modify, and create pads at will without authenticating
first.

The `checkAccess` middleware in `webaccess.js` normally handles
authentication and authorization, but it does not run for `/socket.io`
requests. This means that the connection handler in `socketio.js` must
handle authentication and authorization. However, before this change:
  * The handler did not require a signed `express_sid` cookie.
  * After loading the express-session state, the handler did not check
    to see if the user had authenticated.

Now the handler requires a signed `express_sid` cookie, and it ensures
that `socket.request.session.user` is non-null if authentication is
required. (`socket.request.session.user` is non-null if and only if
the user has authenticated.)
2020-09-13 18:56:31 +01:00
John McLear 4434e54368
Update responsiveness.js
Changing allowed delay from 300 to 400 because Safari OSX is consistently slow compared to every other modern browser.
2020-09-12 11:00:05 +01:00
Richard Hansen 8b0baa9679 SecurityManager: Refactor checkAccess for readability, correctness
* Move session validity check and session author ID fetch to a
    separate function. This separate function can be used by hooks,
    making it easier for them to properly determine the author ID.
  * Rewrite the remainder of checkAccess. Benefits:
      - The function is more readable and maintainable now.
      - Vulnerability fix: Before, the session IDs in sessionCookie
        were not validated when checking settings.requireSession. Now,
        sessionCookie must identify a valid session for the
        settings.requireSession test to pass.
      - Bug fix: Before, checkAccess would sometimes use the author ID
        associated with the token even if sessionCookie identified a
        valid session. Now it always uses the author ID associated
        with the session if available.
2020-09-12 09:42:47 +01:00
Richard Hansen 8756fed80d PadMessageHandler: Use `await` instead of `p.then()` 2020-09-11 22:11:03 +01:00
Richard Hansen 3262ff1cb9 PadMessageHandler: Rename createSessionInfo to createSessionInfoAuth
The function doesn't create the session info -- it creates the auth
property of existing session info.
2020-09-11 22:11:03 +01:00
Richard Hansen de792559cb PadMessageHandler: Use `===` instead of `==` for comparison 2020-09-11 22:11:03 +01:00
Richard Hansen 7f0770d684 PadMessageHandler: Invert logic to improve readability 2020-09-11 22:11:03 +01:00
Richard Hansen d4db091d1d PadMessageHandler: Simplify handleClientReady a bit
Before, this function referred to the same author ID in different ways
in different places. Use one spelling to make the code easier to read.
2020-09-11 22:11:03 +01:00
Richard Hansen ed3c82e8c3 Use `null`, not `"null"`, if `sessionID` cookie doesn't exist
`decodeURIComponent(null)` returns the string `'null'`, which we don't
want.
2020-09-11 22:10:04 +01:00
translatewiki.net 24978daeb0 Localisation updates from https://translatewiki.net. 2020-09-10 18:36:59 +02:00
webzwo0i e2b3b009e1
tests: skip responsivness test on firefox 52.0/windows (#4275) 2020-09-09 21:40:53 +01:00
John McLear 5dfae625b9 Package Lock update 2020-09-09 18:15:47 +01:00
John McLear c8361a211a bump ueber 2020-09-09 14:41:03 +01:00
Stefan Mueller 477f637488 Merge tag '1.8.5' into develop
Version 1.8.5
2020-09-08 22:34:35 +02:00
Stefan Mueller f3d950c664 Merge branch 'release/1.8.5' 2020-09-08 22:34:02 +02:00
Stefan Mueller 5e03a3b0fe Set changelog informations for new version 2020-09-08 22:10:27 +02:00