muxator
7c099fef5e
settings: do not create a user if he has no password field, or if his password is null.
...
This will be used by the settings.json in the default Dockerfile to eschew
creating an admin user when no password is set.
Closes #3648 .
2019-10-19 00:54:56 +02:00
muxator
4e758a9f4a
settings: better explain that no default value is very different from ''
...
If environment variable PASSW is not defined, the following would be very
different:
"password": "${PASSW}" // would result in password === null
"password": "${PASSW:}" // would result in password === ''
This characteristic will be used in the next commit, when we will use it to
discard a user if his password were null (and in turn use it for docker
containerization).
No functional changes.
2019-10-19 00:34:00 +02:00
muxator
1cc6838772
settings: reformat settings.json.template, in preparation for next commits
...
No functional changes.
2019-10-10 20:25:34 +02:00
aaron-costello
5879037ddc
security: support for clean & safe error handling on IE 11
...
Added pad_utils sanitization for clean and safe error handling on browsers that
do not encode the path of the URL.
Edited by muxator based on https://github.com/ether/etherpad-lite/pull/3647 ,
to be able to apply the patch on develop (the PR was for master), and perform
minor cleanups (mainly spurious statements).
Closes #3647 .
2019-10-18 21:00:11 +01:00
translatewiki.net
c65c5f17aa
Localisation updates from https://translatewiki.net .
2019-10-14 17:20:29 +02:00
Stefan Schwarz
070a5fd74f
remove npm cache from image
2019-10-08 19:51:11 +02:00
Stefan Schwarz
a9a3bf9bd2
use buster slim
2019-10-08 19:51:11 +02:00
muxator
5eb60cef01
jQuery: update vendored version (1.9.1 -> 1.12.4)
...
The vendored jquery version was 1.9.1 from 2013-02-04. Let's replace it with the
most recent one from the 1.x branch (1.12.4 from 2016-05-20).
The modification in rjquery.js is needed because recent jQuery versions changed
their behaviour, and do not set themselves on the global window object.
See: https://github.com/parcel-bundler/parcel/issues/333#issuecomment-357882648
This will be the lastest jQuery 1.x version ever, because 1.x branch is
definitively EOLed (see https://github.com/jquery/jquery.com/issues/162 ).
This is a stopgap measure to get the latest security fixes. Going forward,
another strategy will be needed.
Closes #3640
2019-09-16 22:55:53 +02:00
translatewiki.net
b3d8f857b7
Localisation updates from https://translatewiki.net .
2019-09-16 18:48:33 +02:00
translatewiki.net
506f4775cc
Localisation updates from https://translatewiki.net .
2019-09-12 15:55:45 +02:00
translatewiki.net
a98cfe33de
Localisation updates from https://translatewiki.net .
2019-09-06 06:47:40 +02:00
Moritz Jordan
0a8e32563b
Fix Unicode bug in HTML export
2019-08-12 00:41:17 +02:00
muxator
161a38efd2
dependencies: update wd, 1.11.1 -> 1.11.3
...
This is a dev dependency, so no real risks, but it's better not to scare users.
Previously reported vulnerabilities fixed by this change:
$ npm audit
=== npm audit security report ===
# Run npm install --save-dev wd@1.11.3 to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ wd [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ wd > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/1065 │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm update lodash --depth 3 to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ wd [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ wd > async > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/1065 │
└───────────────┴──────────────────────────────────────────────────────────────┘
2019-08-08 22:29:58 +02:00
muxator
d555b052cb
dependencies: update npm, 6.4.1 -> 6.10.3
...
This was an arbitrary file overwrite vulnerability in tar. A fix in the library
was available, but npm and npm-lifecycle took a while to issue updated versions.
Resolves #3598 .
Previously reported vulnerabilities fixed by this change:
$ npm audit
=== npm audit security report ===
# Run npm install npm@6.10.3 to resolve 9 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libcipm > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ fstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libcipm > npm-lifecycle > node-gyp > fstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/886 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ fstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > npm-lifecycle > node-gyp > fstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/886 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ fstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > node-gyp > fstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/886 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ fstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > libcipm > npm-lifecycle > node-gyp > tar > fstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/886 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ fstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > npm-lifecycle > node-gyp > tar > fstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/886 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ fstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm > node-gyp > tar > fstream │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/886 │
└───────────────┴──────────────────────────────────────────────────────────────┘
2019-08-08 22:17:53 +02:00
Richlv
2c9383b69e
minor typo fix
2019-08-08 21:58:30 +02:00
Lars Olafsen
1789129b35
NODE_ENV controls run-time behaviour, thus needs to be set by ENV
2019-08-08 21:53:47 +02:00
translatewiki.net
df03257d9c
Localisation updates from https://translatewiki.net .
2019-08-08 20:05:35 +02:00
translatewiki.net
ea0554d70f
Localisation updates from https://translatewiki.net .
2019-08-05 12:02:28 +02:00
translatewiki.net
4e601dd03b
Localisation updates from https://translatewiki.net .
2019-08-01 18:19:57 +02:00
translatewiki.net
1845e91909
Localisation updates from https://translatewiki.net .
2019-07-29 14:23:20 +02:00
muxator
4582f9daeb
docker: support including plugins in custom builds.
...
This commit introduces the support for the ETHERPAD_PLUGINS build parameter,
which contains a list of plugins to be installed while building the container.
EXAMPLE:
docker build --build-arg ETHERPAD_PLUGINS="ep_codepad ep_author_neat" --tag <YOUR_USERNAME>/etherpad .
Resolves #3618 .
2019-07-16 14:14:34 +02:00
muxator
b5ac653cbc
docker: reorganized the README, same infos
...
This is in preparation for the next commit, which will introduce support for
custom builds with plugins.
2019-07-16 14:14:34 +02:00
muxator
e8e2284884
docker: move WORKDIR as on top as possible.
...
WORKDIR is also valid at build time, thus it makes sense to move it as towards
the top as possible.
This will come in hand in the next commits, when we will introduce support for
installing plugins while building the container.
Source: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir
[...] you should use WORKDIR instead of proliferating instructions like
RUN cd … && do-something,
which are hard to read, troubleshoot, and maintain.
2019-07-16 14:14:34 +02:00
translatewiki.net
832e63c691
Localisation updates from https://translatewiki.net .
2019-07-15 20:01:25 +02:00
translatewiki.net
09d89cd74a
Localisation updates from https://translatewiki.net .
2019-07-11 17:21:48 +02:00
translatewiki.net
3d0778d9c9
Localisation updates from https://translatewiki.net .
2019-07-08 20:05:10 +02:00
translatewiki.net
9a5f42450c
Localisation updates from https://translatewiki.net .
2019-07-05 07:05:14 +02:00
translatewiki.net
04a45fbe46
Localisation updates from https://translatewiki.net .
2019-06-13 20:05:10 +02:00
translatewiki.net
2a78dcfc38
Localisation updates from https://translatewiki.net .
2019-05-27 16:37:10 +02:00
translatewiki.net
033c6a8b7a
Localisation updates from https://translatewiki.net .
2019-05-17 12:15:48 +02:00
cupcakearmy
d88726b58d
colibris: the "ok" button was misaligned in Chrome
...
When visiting Etherpad's home page with Chrome the "ok" button was not on the
same line as the pad name text box. On Firefox & Safari there was no problem.
Tested on Chrome 74.
Fixes #3604 .
2019-05-10 09:50:25 +02:00
translatewiki.net
f2b888e3ff
Localisation updates from https://translatewiki.net .
2019-05-06 16:39:54 +02:00
muxator
fc7d639f84
dependencies: update express-session, 1.15.6 -> 1.16.1
...
This is a non breaking change.
From the changelog (https://github.com/expressjs/session/blob/v1.16.1/HISTORY.md#1161--2019-04-11 ):
# 1.16.1 / 2019-04-11
- Fix error passing data option to Cookie constructor
- Fix uncaught error from bad session data
# 1.16.0 / 2019-04-10
- Catch invalid cookie.maxAge value earlier
- Deprecate setting cookie.maxAge to a Date object
- Fix issue where resave: false may not save altered sessions
- Remove utils-merge dependency
- Use safe-buffer for improved Buffer API
- Use Set-Cookie as cookie header name for compatibility
- deps: depd@~2.0.0
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
- perf: remove argument reassignment
- deps: on-headers@~1.0.2
- Fix res.writeHead patch missing return value
2019-05-04 17:15:36 +02:00
muxator
1435e203a8
dependencies: update graceful-fs, 4.1.11 -> 4.11.15
...
Minor change, but could not easily find a changelog on
https://github.com/isaacs/node-graceful-fs
2019-05-04 16:56:03 +02:00
muxator
47ad347fac
dependencies: update cookie-parser, 1.4.3 -> 1.4.4
...
This is a non breaking change.
From the changelog (https://github.com/expressjs/cookie-parser/blob/1.4.4/HISTORY.md#144--2019-02-12 ):
# 1.4.4 / 2019-02-12
- perf: normalize secret argument only once
2019-05-04 16:49:33 +02:00
muxator
90b288b576
dependencies: update nyc, 12.0.1 -> 14.1.0
...
This is just a dev dependency, so no real risks, but it's better not to scare
users.
Reported vulnerability before this change:
$ npm audit
=== npm audit security report ===
# Run npm install --save-dev nyc@14.1.0 to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ handlebars │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nyc > istanbul-reports > handlebars │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/755 │
└───────────────┴──────────────────────────────────────────────────────────────┘
2019-05-03 23:27:35 +02:00
translatewiki.net
a7220558d2
Localisation updates from https://translatewiki.net .
2019-05-02 18:00:18 +02:00
translatewiki.net
c9664804f1
Localisation updates from https://translatewiki.net .
2019-04-29 17:28:56 +02:00
translatewiki.net
ba9b9c9931
Localisation updates from https://translatewiki.net .
2019-04-18 16:59:41 +02:00
Tristram Gräbener
357780d573
Display the version in the web interface
...
In the settings drop-down this adds an “About” section that also shows
the commit if "exposeVersion" is set to true.
Fixes #2968
2019-04-15 23:17:34 +00:00
Tristram Gräbener
28a6f505c5
Parameters: the version is exposed in http header only when configured
...
Currently the version is exposed in a 'Server' http headers.
This commit allows to parameterize it in the settings. By defaults it is
not exposed.
Fixes #3423
2019-04-15 23:17:34 +00:00
Tristram Gräbener
8453f07205
Chat bubble: by default hide in CSS
...
The current behaviour is to show the chat bubble and hide if chat is
disabled.
Because of this, the bubble appears wrongfully for a short time.
With this PR, by default it is hidden and displayed only if chat is
enabled.
Fixes : #3088
2019-04-15 23:14:47 +00:00
muxator
705cc6f5e4
Change everywhere the link to https://etherpad.org (it was plain http)
2019-04-16 00:54:54 +02:00
muxator
a6656102d8
CHANGELOG.md: link to https://translatewiki.net instead of plain http
2019-04-16 00:53:00 +02:00
muxator
75a0f339e1
Settings.js, express.js: trivial reformatting
...
Future commits by Tristram Gräbener will modify them.
2019-04-16 00:17:56 +02:00
muxator
dc7e49f89d
Remove trailing whitespaces
...
Hoping to minimize future diffs. Not touching vendorized libraries.
2019-04-16 00:34:29 +02:00
translatewiki.net
1cb9c3e1ce
Localisation updates from https://translatewiki.net .
2019-04-15 17:36:10 +02:00
translatewiki.net
e3cc21e477
Localisation updates from https://translatewiki.net .
2019-04-08 16:43:29 +02:00
translatewiki.net
ae3ecf54d5
Localisation updates from https://translatewiki.net .
2019-04-04 19:59:52 +02:00
translatewiki.net
dc338c4e48
Localisation updates from https://translatewiki.net .
2019-04-01 20:26:39 +02:00