public-offering
/
pad.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5,577 Commits
190 Branches
71 Tags
55 MiB
Commit Graph

5577 Commits (963d12e614707f1e6b7be518966ba99cecdbf20a)

Author SHA1 Message Date
Chocobozzz 963d12e614 PadManager: use a set instead of an array in padlist 
Avoid looping on the array, especially useful if you have many pads.

--HG--
branch : padlist-use-set
 2020-04-09 03:39:32 +02:00
Chocobozzz 94ff21e25c PadManager: anchor the addPad regex to the start of the string 
This improves the performance a bit, and is more adherent to the logic of the
application.

--HG--
branch : padlist-use-set
 2020-04-09 03:39:32 +02:00
Chocobozzz 8c4625ec50 tests: add tests for listAllPads() API call 
--HG--
branch : padlist-use-set
 2020-04-09 03:39:32 +02:00
Marcin Cieślak df08883a00 SecurityManager: remove double quotes from session cookie content 
Sometimes, RFC 6265-compliant [0] web servers may send back a cookie whose value
is enclosed in double quotes, such as:

    Set-Cookie: sessionCookie="s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"; Version=1; Path=/; Domain=localhost; Discard

Where the double quotes at the start and the end of the header value are just
delimiters. This is perfectly legal: Etherpad parsing logic should cope with
that, and remove the quotes early in the request phase.

Somehow, this does not happen, and in such cases the actual value that
sessionCookie ends up having is:

    sessionCookie = '"s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"'

As quick measure, let's strip the double quotes (when present).
Note that here we are being minimal, limiting ourselves to just removing quotes
at the start and the end of the string.

Fixes #3819.
Also, see #3820.


[0] https://tools.ietf.org/html/rfc6265
 2020-04-09 01:14:51 +02:00
John McLear 08b83ae358 LibreOffice: use "html:XHTML Writer File:UTF8" export method 
This yields better conversion results, but requires the previous change,
otherwise there would have been difficulties in locating the temporary file
name.
 2020-04-08 22:51:25 +02:00
John McLear b2ccd0a191 LibreOffice: decouple the extension of the temporary file from its type 
In the next commit, we are going to change the conversion method to
"html:XHTML Writer File:UTF8". Without this change, that conversion method name
would end up in the extension of the temporary file that is created as an
intermediate step. In this way, the file extensione will always stay ".html".

No functional changes, hopefully. Only the extension of the temporary file
should change.
 2020-04-08 22:51:25 +02:00
John McLear f6907c5fad contentcollector: remove weird stuff LibreOffice adds to DOM before importing 2020-04-08 22:51:25 +02:00
John McLear a371deb9d1 ImportHandler: quick & dirty way of being more lax when matching <title> 
This change is meant to ease using LibreOffice as converter. When LibreOffice
converts a file, it adds some classes to the <title> tag.
This is a quick & dirty way of matching the <title> and comment it out
independently on the classes that are set on it.
 2020-04-08 22:51:25 +02:00
John McLear babf67175c undomodule: disallow undoing "clear authorship colors" 
Clearing the authorship colors of a document with at least two authors, and then
undoing that action caused a disconnect from the pad.
This change disallows undoing clearing authorship colors in order to prevent
the problem from affecting users, and adds the relative test coverage.

This is a change of behaviour, and is documented in the changelog.

Fixes #2802 (sidestepping it).
 2020-04-08 15:20:37 +02:00
Paul Tiedtke ffc718e8c0 docker: add support for arbitrary user ids (for OpenShift compatibility) 
This solves a compatibility problem with OpenShift. In OpenShift security
model, the containers are run by arbitrary user ids, but the users are always
a member of the root group.

This PR adjusts the permissions accordingly.

Documentation reference:
https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#use-uid
 2020-04-08 15:06:08 +02:00
Paul Tiedtke 79406051fa Settings.js: support newlines in default values when using variable substitution 
This allows, among other things, to correctly support the configuration of
defaultPadText in Docker via an environment variable.
 2020-04-07 04:32:37 +02:00
John McLear 3872690715
ace2_inner: remove Chrome specific hack 
This code was specific for older Chrome versions. It can be simplified now.

Fixes #3487
 2020-04-07 03:47:46 +02:00
John McLear 8987c5d813 dependencies: upgrade uglify-js 2.6.2 -> 3.8.1 and adapt Minify 
This was a major update that required code changes.
 2020-04-03 00:05:15 +00:00
muxator a286f32c2a dependencies: remove object.values 
This should have been part of 09949c242a ("node8: we no longer need to use a
shim for Object.values in stats.js")
 2020-04-07 03:15:10 +02:00
muxator a5ed0b524b dependencies: use fixed versions in package.json 
We want to track dependencies as explicitly as possible.
 2020-04-07 03:04:23 +02:00
Viljami Kuosmanen 3edd727a94 customError: rewrite the module using class syntax 
The previous syntax caused a deprecation warning on Node 10.
However, due to the very old version of log4js Etherpad is currently using,
customError objects are going to be displayed as { inspect: [Function: inspect] }.

This needs to be addressed later, updating log4js.

Fixes #3834.
 2020-04-07 02:03:17 +02:00
muxator e6251687bf api: test coverage for getStats() 2020-04-04 22:03:46 +02:00
muxator 4ef59bbda0 api: in getStats(), directly rewrote activePads as an expression 
Instead of creating an empty Set and then mutate it.
 2020-04-04 22:03:46 +02:00
Chocobozzz 82b919fc65 api: add getStats() function 2020-04-04 22:03:46 +02:00
John McLear eb45934788 remove noise 2020-04-03 11:32:14 +01:00
John McLear 4e212d12b2 patch fix for 3825 2020-04-03 11:32:14 +01:00
Chocobozzz 0889a1313d referer: do not send referrer when opening a link 
This change augments what was already done in 54e0f2de5b (PR with discussion
at #3636).

For documentation about the meaning of "noopener, noreferrer", see:
https://developer.mozilla.org/en-US/docs/Web/API/Window/open#Window_functionality_features
 2020-03-31 10:02:46 +02:00
John McLear cdf5b63f26 use a deletePad approach that works when server is running and works with MySQL 2020-04-03 03:31:18 +02:00
John McLear 93180c287b
tests: in Travis, also run the backend tests 
This change introduces automatic execution of the backend tests in Travis.

Implements #2351.
 2020-04-03 03:27:05 +02:00
John McLear c2ea2b3a6d webaccess: do not resave session 
Before this change, the database was spammed with session values.
Modern express-session has this baked in.
See https://www.npmjs.com/package/express-session#resave for docs.
 2020-04-03 02:55:33 +02:00
John McLear 1f0058dd6f interesting discovery RE 3612 and 2802 2020-04-03 02:40:59 +02:00
muxator 3a46e010ce dependencies: bump ueberdb2 0.4.3 -> 0.4.5 
Original message from John McLear (PR #3817):
  We now include BINARY in the MySQL WHERE select clause.
  Test coverage might be desirable?

Fixes #2877
 2020-04-03 01:27:49 +02:00
Viljami Kuosmanen ccf406708e openapi: support standard http error codes 
API errors are now handled at the end of the request heap by
throwing exceptions from the handler
 2020-04-03 01:03:11 +02:00
Viljami Kuosmanen 3742fdfb04 openapi: disable cors headers for /api/** paths 
Still enabled for /rest/** and **/openapi.json
 2020-04-03 01:03:11 +02:00
Viljami Kuosmanen 6aa30f213a openapi: add jsonp support + test 2020-04-03 01:03:11 +02:00
Viljami Kuosmanen e821bbcad8 openapi: add documentation, small optimisation 2020-04-03 01:03:11 +02:00
Viljami Kuosmanen c2cca39c7d openapi: minor improvements 2020-04-03 01:03:11 +02:00
Viljami Kuosmanen 172da1483e openapi: add commented out version of response processors 
For some weird reason, these seem to be part of the original swagger
implementation but tests assume they're turned off.

Perhaps a difference between /rest and /api?
 2020-04-03 01:03:11 +02:00
Viljami Kuosmanen 5792f7224a openapi: add response objects 2020-04-03 01:03:11 +02:00
Viljami Kuosmanen 03d8964a7a openapi: upgrade to openapi-backend 2.4.0 2020-04-03 01:03:11 +02:00
Viljami Kuosmanen f9d24f5a39 openapi: remove swagger-node-express 2020-04-03 01:03:11 +02:00
Viljami Kuosmanen 25e081ac89 openapi: implement API handler with openapi-backend 
- Tests pass 
- Added openapi-backend hook
- Generating OpenAPI v3 definitions for each API version
- Definitions served /api/openapi.json /api/{version}/openapi.json
 2020-04-03 01:03:11 +02:00
John McLear dbab4ad13a dont pass empty author info to edit 2020-04-02 23:29:03 +01:00
muxator 3e3b0dec97 package-lock: restore baseline package-lock.json after 4db91cb2ed 
This amends the previous commit, ans should have been part of 4db91cb2ed.
 2020-04-02 22:58:38 +02:00
John McLear 0a606de44a bump package lock for ueber 2020-04-01 15:24:24 +00:00
John McLear 4db91cb2ed
Bump Ueber to 0.4.3 2020-04-01 11:49:41 +01:00
muxator b7ac0f7991 Settings: allow the existence of "password" and "hash" attributes for users. 
This brings back compatibility with ep_hash_auth, which was inadvertently broken
with 28a3bba4c1.
Based on work by John McLear.

Fixes #3681.
 2020-04-01 04:13:21 +02:00
John McLear 53f126082a SessionStore: replace password with PASSWORD_HIDDEN when storing in db 
Fixes #3421.
 2020-04-01 03:39:05 +02:00
Daniel Krol 3e8b426847 ui: initialize color picker with the user's color 
Initialize the color picker with user's current color.
Was previously initialized with grey in Farbtastic library.

Fixes #3617
 2020-04-01 02:34:56 +02:00
Daniel Krol ac9d7f80cc tests: add tests showing that the color chooser is not initialized with the user's color 
When opening the color chooser after a page load, the selected color is always
gray, and not the user's color.
 2020-04-01 02:34:56 +02:00
John McLear b74a4819ae
beta.etherpad.org been down a while 
Sorry about the direct commit 🍡
 2020-03-31 19:54:46 +01:00
muxator 4ee5ddb496 caching_midleware: also run when nodejs does not have crypto module 
According to the nodejs docs [0] the `crypto` module might be unavailable on
some platforms:

> It is possible for Node.js to be built without including support for the
> crypto module. In such cases, calling require('crypto') will result in an
> error being thrown

A description of such scenarios can be found here [1].

> * running non-standard node in a resource- or security-constrained
>   environment
> * running in emulated environment (browserify, webpack etc.)
> * building node from source and omitting openssl/crypto for random reason

TypeScript guys dealt with this same issue and they resolved it in an elegant
way in [2].

We copy that approach here: if importing crypto fails at runtime, we replace
sha256 with djb2 [3], which is weaker, but works for our case.

The djb2 story is fun: see this Stack Overflow post [4], and the original
mailing list post from 1991 [5] by Daniel J. Bernstein [6].

He was 20 at the time!

[0] https://nodejs.org/docs/latest-v10.x/api/crypto.html#crypto_determining_if_crypto_support_is_unavailable
[1] https://github.com/microsoft/TypeScript/issues/19100#issuecomment-335871998
[2] 9677b0641c
[3] http://www.cse.yorku.ca/~oz/hash.html#djb2
[4] https://stackoverflow.com/questions/1579721/why-are-5381-and-33-so-important-in-the-djb2-algorithm
[5] https://groups.google.com/forum/#!msg/comp.lang.c/lSKWXiuNOAk/zstZ3SRhCjgJ
[6] https://en.wikipedia.org/wiki/Daniel_J._Bernstein
 2020-03-31 04:09:49 +02:00
Tom Hudson fc754c9a1d Switches cacheKey from base64 of path to sha256 of path; fixes #3502 2020-03-31 02:42:58 +02:00
John McLear 6c12a7fb1f tests: backend tests for utf8 & emojis support 2020-03-31 02:11:25 +02:00
John McLear 352b432ed1 tests: in backend tests, use POST instead of GET for setText() and setHTML() 
This is allowed starting from fc661ee13a ("core: allow URL parameters and POST
bodies to co-exist"), which landed in Etherpad 1.8.0. For the discussion, see
issue #3568.
 2020-03-31 02:11:25 +02:00