Commit Graph

6278 Commits (afb025030cc17419271e155f5b66955e64f4f9c3)

Author SHA1 Message Date
Richard Hansen e20731cb12 webaccess: Fix syntax error (missing close curly brace)
Somehow I introduced this bug in commit
2bc26b8ef8 but never noticed.
2020-09-15 21:21:13 +01:00
Richard Hansen d2773609d1 PadMessageHandler: Fix assignment to const variable 2020-09-15 20:04:33 +01:00
Richard Hansen 5ac5b65aff Pad: Disable toolbar and import/export when reconnecting 2020-09-15 20:04:17 +01:00
Richard Hansen 6f28e415ec PadMessageHandler: Move code out of unnecessary closure (again) 2020-09-15 20:04:01 +01:00
Richard Hansen 9e6d3f3f63 tests: Add authentication, authorization bypass tests 2020-09-15 20:03:30 +01:00
Richard Hansen 80639fdc6a webaccess: Pass `settings.users` to the authenticate hook
Authentication plugins almost always want to read and modify
`settings.users`. The settings can already be accessed in a few other
ways, but this is much more convenient.
2020-09-15 19:26:24 +01:00
Richard Hansen 250e932f59 webaccess: Enforce creation of `req.session.user` by authn plugins
The authorization logic determines whether the user has already
successfully authenticated by looking to see if `req.session.user`
exists. If an authentication plugin says that it successfully
authenticated the user but it did not create `req.session.user` then
authentication will re-run for every access, and authorization plugins
will be unable to determine whether the user has been authenticated.
Return a 500 internal server error to prevent these problems.
2020-09-15 19:26:14 +01:00
Richard Hansen 362b567276 docs: Revise documentation for handleMessage and handleMessageSecurity 2020-09-15 19:25:04 +01:00
Richard Hansen 80c0e2487d PadMessageHandler: Move code out of unnecessary closure
Also simplify the logic.
2020-09-15 19:23:48 +01:00
Richard Hansen a261fdf430 i18n: Improve error logging when language JSON read fails
Before it only logged an error like this:

    SyntaxError: Unexpected string in JSON at position XYZ

Now it also logs the filename, making it easier to figure out where
the bad data is:

    failed to read file /path/to/etherpad-lite/src/locales/en.json: SyntaxError: Unexpected string in JSON at position XYZ
2020-09-15 15:32:43 +01:00
John McLear 38352c1f8c Merge branch 'develop' of github.com:ether/etherpad-lite into develop 2020-09-15 13:15:53 +01:00
John McLear 9f3cc7aae0 deps: update UeberDB to fix issue with Postgres which was causing 1.8.5 to fail on PG sites. 2020-09-15 13:15:28 +01:00
Richard Hansen 2bc26b8ef8 webaccess: Factor out common code 2020-09-15 10:44:23 +01:00
Richard Hansen f9087fabd6 security: Check authentication in SecurityManager checkAccess
In addition to providing defense in depth, this change makes it easier
to implement future enhancements such as support for read-only users.
2020-09-15 10:43:23 +01:00
Richard Hansen 259b8d891d socketio: Use Error objects for socket.io connection errors
socket.io expects Error objects, otherwise it won't propagate the
message to the client.

Also do some cleanup.
2020-09-15 10:42:25 +01:00
Richard Hansen 0a836ced29 css: Line up line numbers with their rows
Tested with both `no-skin` and `colibris`.
2020-09-15 09:29:09 +01:00
webzwo0i ec6b983917
packaging: remove pad_docbar.js (#4286)
package to reduce http requests: nice-select,
pad_automatic_reconnect, skin_variants, scroll, caretPosition

rename unorm in tar.json so it can be included
2020-09-13 19:01:28 +01:00
Richard Hansen d0a16d23cb security: Fix authentication bypass vulnerability
Before, anyone who could create a socket.io connection to Etherpad
could read, modify, and create pads at will without authenticating
first.

The `checkAccess` middleware in `webaccess.js` normally handles
authentication and authorization, but it does not run for `/socket.io`
requests. This means that the connection handler in `socketio.js` must
handle authentication and authorization. However, before this change:
  * The handler did not require a signed `express_sid` cookie.
  * After loading the express-session state, the handler did not check
    to see if the user had authenticated.

Now the handler requires a signed `express_sid` cookie, and it ensures
that `socket.request.session.user` is non-null if authentication is
required. (`socket.request.session.user` is non-null if and only if
the user has authenticated.)
2020-09-13 18:56:31 +01:00
John McLear 4434e54368
Update responsiveness.js
Changing allowed delay from 300 to 400 because Safari OSX is consistently slow compared to every other modern browser.
2020-09-12 11:00:05 +01:00
Richard Hansen 8b0baa9679 SecurityManager: Refactor checkAccess for readability, correctness
* Move session validity check and session author ID fetch to a
    separate function. This separate function can be used by hooks,
    making it easier for them to properly determine the author ID.
  * Rewrite the remainder of checkAccess. Benefits:
      - The function is more readable and maintainable now.
      - Vulnerability fix: Before, the session IDs in sessionCookie
        were not validated when checking settings.requireSession. Now,
        sessionCookie must identify a valid session for the
        settings.requireSession test to pass.
      - Bug fix: Before, checkAccess would sometimes use the author ID
        associated with the token even if sessionCookie identified a
        valid session. Now it always uses the author ID associated
        with the session if available.
2020-09-12 09:42:47 +01:00
Richard Hansen 8756fed80d PadMessageHandler: Use `await` instead of `p.then()` 2020-09-11 22:11:03 +01:00
Richard Hansen 3262ff1cb9 PadMessageHandler: Rename createSessionInfo to createSessionInfoAuth
The function doesn't create the session info -- it creates the auth
property of existing session info.
2020-09-11 22:11:03 +01:00
Richard Hansen de792559cb PadMessageHandler: Use `===` instead of `==` for comparison 2020-09-11 22:11:03 +01:00
Richard Hansen 7f0770d684 PadMessageHandler: Invert logic to improve readability 2020-09-11 22:11:03 +01:00
Richard Hansen d4db091d1d PadMessageHandler: Simplify handleClientReady a bit
Before, this function referred to the same author ID in different ways
in different places. Use one spelling to make the code easier to read.
2020-09-11 22:11:03 +01:00
Richard Hansen ed3c82e8c3 Use `null`, not `"null"`, if `sessionID` cookie doesn't exist
`decodeURIComponent(null)` returns the string `'null'`, which we don't
want.
2020-09-11 22:10:04 +01:00
translatewiki.net 24978daeb0 Localisation updates from https://translatewiki.net. 2020-09-10 18:36:59 +02:00
webzwo0i e2b3b009e1
tests: skip responsivness test on firefox 52.0/windows (#4275) 2020-09-09 21:40:53 +01:00
John McLear 5dfae625b9 Package Lock update 2020-09-09 18:15:47 +01:00
John McLear c8361a211a bump ueber 2020-09-09 14:41:03 +01:00
Stefan Mueller 477f637488 Merge tag '1.8.5' into develop
Version 1.8.5
2020-09-08 22:34:35 +02:00
Stefan Mueller f3d950c664 Merge branch 'release/1.8.5' 2020-09-08 22:34:02 +02:00
Stefan Mueller 5e03a3b0fe Set changelog informations for new version 2020-09-08 22:10:27 +02:00
Stefan Mueller e64a269a65 Update version to 1.8.5 2020-09-08 22:09:56 +02:00
Stefan Mueller 10402c2e2d Update version to 1.8.5 2020-09-08 21:56:20 +02:00
John McLear 7258d75cc5 bumping ueber 2020-09-08 16:03:15 +01:00
John McLear 2b9915d00d commenting out responsiveness test in preperation for a release 2020-09-08 15:18:19 +01:00
Richard Hansen 6c2a361935 import: Use the correct author ID when using sessions
There are two different ways an author ID becomes associated with a
user: either bound to a token or bound to a session ID. (The token and
session ID come from the `token` and `sessionID` cookies, or, in the
case of socket.io messages, from the `token` and `sessionID` message
properties.) When `settings.requireSession` is true or the user is
accessing a group pad, the session ID should be used. Otherwise the
token should be used.

Before this change, the `/p/:pad/import` handler was always using the
token, even when `settings.requireSession` was true. This caused the
following error because a different author ID was bound to the token
versus the session ID:

> Unable to import file into ${pad}. Author ${authorID} exists but he
> never contributed to this pad

This bug was reported in issue #4006. PR #4012 worked around the
problem by binding the same author ID to the token as well as the
session ID.

This change does the following:
  * Modifies the import handler to use the session ID to obtain the
    author ID (when appropriate).
  * Expands the documentation for the SecurityManager checkAccess
    function.
  * Removes the workaround from PR #4012.
  * Cleans up the `bin/createUserSession.js` test script.
2020-09-08 15:04:17 +01:00
Richard Hansen db0bcb524e SecurityManager: Use constants for returned rejections
This reduces the chances of a typo-induced bug.
2020-09-08 14:53:28 +01:00
Sebastian Castro 818194da90
editor/performance: Fix performance for large pads (#4267)
* Fix line numbers top padding

This old rule was conflicting with new css rules introduced in 1.8.4

* Fixes #4228 Performance degradation for long pads 

Due to layout trashing when calculating new heights
2020-09-08 14:52:26 +01:00
Richard Hansen da459888dc plugins: Move plugin definitions to avoid monkey patching
Also document the plugin data structures.
2020-09-08 00:50:24 +01:00
Richard Hansen dcbf876d03 hooks: New mechanism to deprecate hooks
I plan on splitting authFailure into authnFailure and authzFailure so
that separate authentication and authentication plugins can coexist
peacefully. This change will make it possible to mark the authFailure
hook as deprecated (which simply logs a warning).
2020-09-08 00:49:10 +01:00
Richard Hansen 8cf2bcaeb4 plugins: Fix type typo
`exports.parts` is a topologically sorted array, but the intermediate
collection of parts assembled in `plugins.update()` is associative.
2020-09-08 00:47:32 +01:00
Richard Hansen c3b2e68dad Revert "Delete redundant token2author DB save"
Something's weird here; this change shouldn't have any effect. I'll
have to squint at the code some more.

This reverts commit 2bf076043f.

Fixes #4262
2020-09-08 00:46:01 +01:00
webzwo0i 49a6b1dac2 GroupManager: typo during session deletion 2020-09-08 00:45:39 +01:00
translatewiki.net efa4ba3cf1 Localisation updates from https://translatewiki.net. 2020-09-07 16:40:05 +02:00
Richard Hansen 68be78ace0 SecurityManager: Simplify checkAccess 2020-09-07 08:34:15 +01:00
Richard Hansen 17096919e0 PadMessageHandler: Delete redundant check
This check is already made very early in `handleMessage`.
2020-09-05 22:49:07 +01:00
Richard Hansen d4162341e7 webaccess: Always sleep for 1s before returning HTTP 401
Not all authentication plugins require the Authorization header, so it
might not be present in subsequent attempts. (In particular, a reverse
proxy might strip it.)
2020-09-05 22:45:46 +01:00
Richard Hansen 442fe1e86f pluginfw: Always include the function name in `hook_fn_name`
Plugin authors are allowed to omit the function name in the `ep.json`
parts definition. For example:

```
{
  "parts": [
    {
      "name": "ep_example",
      "hooks": {
        "authenticate": "ep_example",
        "authFailure": "ep_example"
      }
    }
  ]
}
```

If omitted, the function name is assumed to be the same as the hook
name. Before this change, `hook_fn_name` for the example hooks would
both be `/opt/etherpad-lite/node_modules/ep_example`. Now they are
suffixed with `:authenticate` and `:authFailure`. This improves
logging, and it makes it possible to use `hook_fn_name` to uniquely
identify a particular hook function.
2020-09-05 22:43:17 +01:00