Commit Graph

192 Commits (7748e8d113a3bbd51f5fea8aade1145bc629552d)

Author SHA1 Message Date
Richard Hansen 142a47cbbc Release v1.8.16 2021-11-28 23:03:58 -05:00
Richard Hansen 777d045246 GroupManager: Clean up any mappings when deleting a group 2021-11-28 14:06:47 +00:00
Richard Hansen b7065eb9a0 Add notable enhancements/fixes to 1.8.15 changelog 2021-11-25 18:39:01 -05:00
Richard Hansen bbd71cea22 Refine `CHANGELOG.md` 2021-11-25 18:39:01 -05:00
Richard Hansen 89fe40e080 Changeset: Migrate from `OpIter` to `deserializeOps()` 2021-11-23 01:21:49 -05:00
Richard Hansen 657492e191 Changeset: Turn `newOp()` into a real class 2021-11-23 01:21:12 -05:00
Richard Hansen dab881139d Pad: Fix `copyPadWithoutHistory` apool corruption bug 2021-11-22 18:40:22 -05:00
Richard Hansen d74dd235a4 Changeset: Replace `appendATextToAssembler()` with a generator 2021-11-22 18:10:37 -05:00
Richard Hansen f1eb7a25a6 Changeset: Migrate to the new attribute API 2021-11-21 04:11:41 -05:00
Richard Hansen 6cf2055199 Changeset: New API to simplify attribute processing 2021-11-21 04:11:41 -05:00
Richard Hansen 8274e01d34 Add notable enhancements/fixes to 1.8.15 changelog 2021-11-21 01:40:24 -05:00
Richard Hansen 978555653b Refine `CHANGELOG.md` 2021-11-21 01:40:24 -05:00
John McLear b540c2bc48 release: Add version to changelog 2021-11-19 15:27:40 +00:00
Richard Hansen a65498e849 Changeset: Move `SmartOpAssembler.appendOpWithText()` to a standalone function 2021-11-14 04:17:00 -05:00
Richard Hansen 4a65c2c8ff Changeset: Unexport unnecessarily exported functions
These functions aren't used outside of this file.
2021-11-13 17:44:38 -05:00
Richard Hansen 085bc8cbb3 plugins: Don't create `.ep_initialized` files
These files cause problems with Docker images and read-only
directories/mounts, and they have dubious value (any install-time
setup should instead be done at startup).
2021-11-13 17:43:33 -05:00
Richard Hansen dd8ec4e291 Changeset: Remove unused `lastIndex()` method from op iterator 2021-11-07 23:24:39 -05:00
Richard Hansen 0fd2a46783 Changeset: Remove unused start index parameter for `opIterator()` 2021-11-07 23:24:39 -05:00
Richard Hansen 26675c5019 chat: New `chatNewMessage` server-side hook 2021-11-01 01:54:29 -04:00
Richard Hansen 9fbd2e5c3d chat: New `chatSendMessage` client-side hook 2021-11-01 01:54:28 -04:00
Richard Hansen f1f4ed7c58 chat: Allow `chatNewMessage` hook to control rendering 2021-11-01 01:54:28 -04:00
Richard Hansen 2597b940f4 chat: Give `chatNewMessage` hook access to the raw message object 2021-11-01 01:54:28 -04:00
Richard Hansen e28c9ffc97 tests: Support injecting hook functions during pad load 2021-11-01 01:54:28 -04:00
Richard Hansen 9aaf781548 PadMessageHandler: Modernize `userLeave` hook context properties 2021-10-30 03:07:44 -04:00
Richard Hansen a6d060d67b PadMessageHandler: Replace `clientReady` hook with new `userJoin` hook 2021-10-30 03:07:44 -04:00
Richard Hansen 5cbbcbcee6 pad: Simplify reload after `.etherpad` import
The old "switch to pad" logic looked buggy, and it complicates pad
initialization. Forcing a refresh after importing an `.etherpad` file
isn't much of a UX downgrade.
2021-10-29 19:27:33 -04:00
Richard Hansen aec619cc0b log4js: Deprecate the `logconfig` setting
This will make it possible to upgrade log4js in a future version.
2021-09-28 04:30:26 -04:00
webzwo0i dbd76f0c5d export: Don't leak writeable pad ID when exporting
Co-authored-by: Richard Hansen <rhansen@rhansen.org>
2021-09-15 18:32:06 -04:00
Richard Hansen 0d65dc8a44 pad: Add `clientVars` to `postAceInit` hook context
This allows plugins to avoid the `clientVars` global variable.
2021-08-25 14:59:17 -04:00
Richard Hansen c816c20bc7 HTML import: Replace cheerio with jsdom to simplify contentcollector
Cheerio provides jQuery-like objects but they wrap DOM Node-like
objects that are not 100% API compatible with the DOM spec. Because of
this, contentcollector, which is used in browsers and in Node.js
during HTML import, has until now needed to support two different
APIs. This commit modifies HTML import to use jsdom instead of cheerio
and simplifies contentcollector.
2021-08-12 13:53:23 -04:00
webzwo0i f55ccd2cdd changelog 1.8.14 2021-07-04 07:01:07 +02:00
Richard Hansen ef1ba21104 deps: Drop support for Node.js < 12.13.0 2021-06-14 23:17:17 +02:00
Richard Hansen de0a450aec Docker: If `DB_*` env var is unset, remove the corresponding setting 2021-06-06 14:00:52 -04:00
Richard Hansen 428f8d1684 Settings: Deprecate null as the default default value 2021-06-06 14:00:52 -04:00
Richard Hansen c7bb18c6da Settings: Support null and undefined env var substitutions 2021-06-06 14:00:51 -04:00
Richard Hansen 8384a7a67b deps: Bump ueberdb2 2021-04-20 21:56:44 +02:00
Richard Hansen ea8846154f favicon: Redo favicon customization 2021-04-20 13:33:55 -04:00
webzwo0i 0e854a5892 fix wrong changelog entry 2021-03-22 17:26:55 +01:00
webzwo0i 826826bd37 add changelog for 1.8.13 2021-03-21 15:42:16 +00:00
John McLear dabb4917ed
changelog 1.8.12 2021-03-05 07:27:31 +00:00
Richard Hansen 3667f2ca0e Ace2Inner: Fix missing spread operator on `args`
This fixes a bug that was introduced in commit
c38c34bef4.
2021-02-28 08:39:47 +00:00
Richard Hansen 16e6496eb4 deps: Update ueberdb2 to fix dirty DB bug 2021-02-28 08:03:20 +00:00
John McLear c394577695
changelog 1.8.11 2021-02-27 16:45:02 +00:00
John McLear 6efa41ec23
update Changelog 1.9.10 2021-02-25 18:25:00 +00:00
John McLear c6cd4c38fd
Update CHANGELOG.md 2021-02-22 09:46:14 +00:00
John McLear bdb78adb3f Update CHANGELOG.md 2021-02-21 13:50:55 +00:00
Richard Hansen 63e876f53d docs: Start CHANGELOG for 1.8.9 2021-02-18 03:56:41 -05:00
John McLear 306e839bd8 docs: security notification 2021-02-15 12:45:31 -05:00
John McLear b7e88cb904 security: New setting for Socket.IO `maxHttpBufferSize` 2021-02-15 12:45:31 -05:00
Richard Hansen 648e7c7342 docs: Mention improved import UX in `CHANGELOG.md` 2021-02-14 03:58:53 -05:00
Richard Hansen e674d9789e
express: Change `httpUptime` to `httpStartTime` (#4777)
It's better to provide a primitive value and let the consumer of the
metric do math if desired.

Co-authored-by: John McLear <john@mclear.co.uk>
2021-02-14 07:50:10 +00:00
John McLear 13a0b0688f
docs: changelog update (#4776)
Co-authored-by: Richard Hansen <rhansen@rhansen.org>
2021-02-14 01:16:41 -05:00
Richard Hansen ac52fb8a9d express: New `httpUptime` metric 2021-02-13 10:02:28 +00:00
Richard Hansen 50929fe7f7 express: Call expressConfigure, expressCreateServer hooks asynchronously 2021-02-12 07:08:51 +00:00
Richard Hansen 2301c6ec83 pad: Don't throw on socket.io error 2021-02-11 17:25:09 +00:00
John McLear 5d96cf9754
changelog 1.8.8 (#4725)
* changelog 1.8.8

* for squash: refine changelog

Co-authored-by: Richard Hansen <rhansen@rhansen.org>
2021-02-07 22:24:19 +00:00
John McLear 2ea8ea1275 restructure: move bin/ and tests/ to src/
Also add symlinks from the old `bin/` and `tests/` locations to avoid
breaking scripts and other tools.

Motivations:

  * Scripts and tests no longer have to do dubious things like:

        require('ep_etherpad-lite/node_modules/foo')

    to access packages installed as dependencies in
    `src/package.json`.

  * Plugins can access the backend test helper library in a non-hacky
    way:

        require('ep_etherpad-lite/tests/backend/common')

  * We can delete the top-level `package.json` without breaking our
    ability to lint the files in `bin/` and `tests/`.

    Deleting the top-level `package.json` has downsides: It will cause
    `npm` to print warnings whenever plugins are installed, npm will
    no longer be able to enforce a plugin's peer dependency on
    ep_etherpad-lite, and npm will keep deleting the
    `node_modules/ep_etherpad-lite` symlink that points to `../src`.

    But there are significant upsides to deleting the top-level
    `package.json`: It will drastically speed up plugin installation
    because `npm` doesn't have to recursively walk the dependencies in
    `src/package.json`. Also, deleting the top-level `package.json`
    avoids npm's horrible dependency hoisting behavior (where it moves
    stuff from `src/node_modules/` to the top-level `node_modules/`
    directory). Dependency hoisting causes numerous mysterious
    problems such as silent failures in `npm outdated` and `npm
    update`. Dependency hoisting also breaks plugins that do:

        require('ep_etherpad-lite/node_modules/foo')
2021-02-04 17:15:08 -05:00
freddii ea202e41f6 docs: fixed typos 2021-02-03 00:30:07 +01:00
John McLear 0cc8405e9c Bump minimum required Node.js version to 10.17.0
This makes it possible to use fs.promises.
2021-01-30 17:00:40 -05:00
Richard Hansen edbe6d5387 Bump ueberDB to get speed improvements 2021-01-11 09:23:08 +00:00
Richard Hansen a55dd73f2b Typo fix: `checkPlugins.js` -> `checkPlugin.js` 2021-01-08 19:02:55 -05:00
John McLear 998c80607e changelog: updated changelog 2020-12-23 16:18:28 -05:00
Richard Hansen b82bf5c726 Drop support for Internet Explorer 2020-12-19 19:13:31 +00:00
Richard Hansen 1ad9b1efbb Update `CHANGELOG.md`
Add new entries and refine wording/formatting of existing entries.
2020-11-10 07:22:22 +00:00
John McLear 89667f1d4f
update changelog for release (#4475) 2020-11-08 10:03:22 +00:00
John McLear 66df0a572f
Security: FEATURE REMOVAL: Remove all plain text password logic and ui (#4178)
This will be a breaking change for some people.  

We removed all internal password control logic.  If this affects you, you have two options:

1. Use a plugin for authentication and use session based pad access (recommended).
1. Use a plugin for password setting.

The reasoning for removing this feature is to reduce the overall security footprint of Etherpad.  It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own).
2020-10-07 13:43:54 +01:00
Richard Hansen 34b232d658
Update `CHANGELOG.md` with the changes so far (#4393) 2020-10-06 09:16:21 +02:00
Richard Hansen df7fa1fd41
changelog: Mention fix for authz bypass vulnerability in 1.8.6 (#4318) 2020-09-20 19:21:46 +00:00
Stefan Mueller 299bd962b6 Update version to 1.8.6 and add changelog informations 2020-09-18 21:14:19 +02:00
Stefan Mueller 5e03a3b0fe Set changelog informations for new version 2020-09-08 22:10:27 +02:00
John McLear 2a28ff8526
Changelog (#4181) 2020-07-19 23:48:31 +01:00
John McLear e22574c40f
Changelog 2020-06-10 15:43:09 +01:00
muxator 4365598658 release: prepare for 1.8.4 2020-05-15 02:09:18 +02:00
muxator 5e6af287a5 release: prepare for 1.8.3 2020-04-27 03:24:23 +02:00
muxator 684f374ece runtime: require node >= 10.13.0 LTS
At the moment, NodeJS 10.x is the lowest supported LTS version. NodeJS 8.x is no
longer supported upstream.

Implements #3835.
Planned in #3650.
2020-04-09 04:43:37 +02:00
John McLear babf67175c undomodule: disallow undoing "clear authorship colors"
Clearing the authorship colors of a document with at least two authors, and then
undoing that action caused a disconnect from the pad.
This change disallows undoing clearing authorship colors in order to prevent
the problem from affecting users, and adds the relative test coverage.

This is a change of behaviour, and is documented in the changelog.

Fixes #2802 (sidestepping it).
2020-04-08 15:20:37 +02:00
muxator a817acbbcc security: when served over https, set the "secure" flag for "express_sid" and "language" cookie
The mechanism used for determining if the application is being served over SSL
is wrapped by the "express-session" library for "express_sid", and manual for
the "language" cookie, but it's very similar in both cases.

The "secure" flag is set if one of these is true:

1. we are directly serving Etherpad over SSL using the native nodejs
   functionality, via the "ssl" options in settings.json

2. Etherpad is being served in plaintext by nodejs, but we are using a reverse
   proxy for terminating the SSL for us;
   In this case, the user has to be instructed to properly set trustProxy: true
   in settings.json, and the information wheter the application is over SSL or
   not will be extracted from the X-Forwarded-Proto HTTP header.

Please note that this will not be compatible with applications being served over
http and https at the same time.

The change on webaccess.js amends 009b61b338, which did not work when the SSL
termination was performed by a reverse proxy.

Reference for automatic "express_sid" configuration:
https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure

Closes #3561.
2019-12-07 04:36:01 +01:00
ahmadine 0a0b90c4d0 referer: change referrer policy. Stop sending referers as much as possible
Pull request with discussion: https://github.com/ether/etherpad-lite/pull/3636

What's already there:
* `meta name=referrer`: already done in 1.6.1:
  https://github.com/ether/etherpad-lite/pull/3044

  https://caniuse.com/#feat=referrer-policy
  https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta
  (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1])

The previous two commits (by @joelpurra) I backported in this batch:
* `<a rel=noreferrer>`: a pull request denied before:
  https://github.com/ether/etherpad-lite/pull/2498

  https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
  https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types
  (Firefox>=37, I can't find more info about support)

This commit adds the following:
* `<a rel="noopener">`: fixing a not-so-well-known way to extract referer
  https://html.spec.whatwg.org/multipage/links.html#link-type-noopener
  (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge)

* `Referrer-Policy: same-origin`: the last bastion of referrer security
  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
  (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge)

meta name=referrer wasn't enough. I happened to leak a few referrers with my
Firefox browser, though for some browsers it could have been enough.

[1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it
    most probably incompatible (but I may be wrong on that, they may support
    both, but I have no way to test it currently). The next Edge release will be
    based on Chromium, so for that the Chrome version applies.
2019-11-25 00:05:40 +01:00
muxator 7e44dc569b changelog: mention the conditional user creation feature (now that it's fixed) 2019-11-02 23:37:59 +01:00
muxator 4f53b35bcb changelog: reflect the fact that next release will be 1.8-beta.1
This change should have been part of 84479851fe.
2019-11-02 23:37:01 +01:00
muxator 55fb10c685 release: prepare for 1.8.0 2019-10-19 03:42:13 +02:00
muxator 705cc6f5e4 Change everywhere the link to https://etherpad.org (it was plain http) 2019-04-16 00:54:54 +02:00
muxator a6656102d8 CHANGELOG.md: link to https://translatewiki.net instead of plain http 2019-04-16 00:53:00 +02:00
muxator 4f0a2785da release: prepare for 1.7.5
Written the changelog and updated package.json.
2019-01-26 00:16:03 +01:00
muxator 4408a1e505 release: prepare for 1.7.0
Written the changelog and updated package.json.

From now on, releases will be cut from develop, and merged directly into master.

Each release will be a tag on the master branch (e.g. 1.7.0).
A "release/1.7.0" branch will eventually be created only if/when a hotfix will
be needed.
2018-08-17 00:18:31 +02:00
muxator 60c1036ecb
changelog: put <ol> in backticks
Github's Markdown renderer broke the layout of the readme file.
Putting `<ol>` in backticks keeps it happy.
2018-07-20 12:33:45 +02:00
muxator bfec44e346 Release version 1.6.6 2018-05-05 00:53:59 +02:00
muxator e13ae0aec5 changelog: better specified CVE description
Previous commit was wrong.
Fixes #3372, really.
2018-05-04 23:24:58 +02:00
muxator 10d555bc91 changelog: better specified CVE description
fixes #3372
2018-05-04 23:15:22 +02:00
muxator 3eb3e301a2 manually updated CHANGELOG.md
due to createRelease.sh not catching an error from sed and continuing:
   sed: -e expression #1, char 66: unterminated `s' command
2018-04-10 00:50:28 +02:00
John McLear 0132f4d1da Include CVE # 2018-04-07 10:13:09 +01:00
John McLear c34350f307 Beginning to make release 2018-04-07 09:22:13 +01:00
Stefan 1e25e7fc77 Release version 1.6.3 2018-02-03 12:57:22 +01:00
Stefan (Gared) e84c696225 Updated CHANGELOG.md 2017-11-04 17:38:59 +01:00
Jonah Duckles fcde66050e Fix markdown H1 2017-05-30 13:34:07 +12:00
Stefan 9f51432175 Update CHANGELOG.md 2016-12-23 22:12:18 +01:00
Stefan 5ed9f2736a Add version 1.6.0 changelogs 2016-04-24 21:32:21 +02:00
Stefan 6fae670476 Release version 1.5.7 (changelog) 2015-08-05 19:25:11 +02:00
Stefan 2393ea01f0 Release version 1.5.6 2015-04-16 23:06:24 +02:00
Stefan 64d94cb346 Release version 1.5.5 2015-04-13 17:27:14 +02:00