Commit Graph

35 Commits (e7a532391198a8b4124751324442c3f2dd8c0533)

Author SHA1 Message Date
Richard Hansen 2bb431e7e5
express-session: Implement and enable key rotation (#5362) by @rhansen
* SecretRotator: New class to coordinate key rotation

* express-session: Enable key rotation

* Added new entry in docker.adoc

* Move to own package.Removed fallback as Node 16 is now lowest node version.

* Updated package-lock.json

---------

Co-authored-by: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
2023-07-03 22:58:49 +02:00
DanielHabenicht 675c0130b9
allow option to make pad names case-insensitive (#5501) by @DanielHabenicht
* New option to make pad names case-insensitive

fixes #3844

* fix helper.gotoTimeslider()

* fix helper.aNewPad() return value

* Update src/node/utils/Settings.js

Co-authored-by: Richard Hansen <rhansen@rhansen.org>

* remove timeout

* rename enforceLowerCasePadIds to lowerCasePadIds

* use before and after hooks

* update with socket specific test

* enforce sanitizing padID for websocket connections

- only enforce for newly created pads, to combat case-sensitive pad name hijacking

* Added updated package.json file.

---------

Co-authored-by: Richard Hansen <rhansen@rhansen.org>
Co-authored-by: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
2023-07-03 20:52:49 +02:00
Richard Hansen c7195b1133 docker: Add variables for cookie settings 2022-01-19 23:08:32 -05:00
Richard Hansen 861a929a43 docker: Sync `settings.json.docker` with `.template` 2022-01-19 23:06:56 -05:00
Richard Hansen 8c857a85ac pad: Use `null` as default for `userName`, `userColor` options
These options are used as strings, so it doesn't make sense to default
them to a boolean value.

Note that this change has no effect due to a bug in how pad options
are processed; that bug will be fixed in a future commit.
2021-12-04 23:06:16 -05:00
Richard Hansen 61b608e264 pad: Use `null` as default for `lang` option
It doesn't make sense to override the browser's language with `en-gb`
by default.

Note that this change has no effect due to a bug in how pad options
are processed; that bug will be fixed in a future commit.
2021-12-04 23:06:16 -05:00
Richard Hansen aec619cc0b log4js: Deprecate the `logconfig` setting
This will make it possible to upgrade log4js in a future version.
2021-09-28 04:30:26 -04:00
JustAnotherArchivist fe7d223b6e Docker: Expose socketIo.maxHttpBufferSize and dumpOnUncleanExit settings as environment variables 2021-09-16 19:14:36 +00:00
Richard Hansen 1db509ba23 Docker: Add `dbSettings.collection` and `.url` settings
These are used by the `mongodb` driver.
2021-07-30 03:48:36 -04:00
Richard Hansen de0a450aec Docker: If `DB_*` env var is unset, remove the corresponding setting 2021-06-06 14:00:52 -04:00
Richard Hansen 428f8d1684 Settings: Deprecate null as the default default value 2021-06-06 14:00:52 -04:00
Richard Hansen aa221698c8 Docker: Explicitly default env var substitutions to null 2021-06-06 14:00:52 -04:00
Richard Hansen c7bb18c6da Settings: Support null and undefined env var substitutions 2021-06-06 14:00:51 -04:00
Richard Hansen ea8846154f favicon: Redo favicon customization 2021-04-20 13:33:55 -04:00
Chocobozzz a001a13411 fix(perf): Disable wtfnode dump by default
Consumes a lot of CPU so it's better to enable it on purpose
2021-04-13 16:01:41 +02:00
John McLear b7e88cb904 security: New setting for Socket.IO `maxHttpBufferSize` 2021-02-15 12:45:31 -05:00
Ole Langbehn 4c6a12ce2b Add commitRateLimiting settings block to settings.json.docker
The settings commitRateLimiting.duration and commitRateLimiting.points
were not available in the settings.json.docker file, and therefore it
was not possible to override their values via environment variables.

Now, they can be overridden by setting the following env vars:

* commitRateLimiting.duration: COMMIT_RATE_LIMIT_DURATION
* commitRateLimiting.points:   COMMIT_RATE_LIMIT_POINTS
2021-02-08 19:19:03 +00:00
freddii ea202e41f6 docs: fixed typos 2021-02-03 00:30:07 +01:00
John McLear 66df0a572f
Security: FEATURE REMOVAL: Remove all plain text password logic and ui (#4178)
This will be a breaking change for some people.  

We removed all internal password control logic.  If this affects you, you have two options:

1. Use a plugin for authentication and use session based pad access (recommended).
1. Use a plugin for password setting.

The reasoning for removing this feature is to reduce the overall security footprint of Etherpad.  It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own).
2020-10-07 13:43:54 +01:00
Richard Hansen 2db4b04af3 cookies: Use `SameSite=None` if in an iframe from another site 2020-10-04 08:57:44 +01:00
Richard Hansen bf9d613e95
feature: New user-specific `readOnly` and `canCreate` settings (#4370)
Also:
  * Group the tests for readability.
  * Factor out some common test setup.
2020-09-28 11:22:06 +01:00
Daniel Krol 61c7bb9699
feat(i18n) Custom i18n strings (#4000)
* Custom i18n strings (and some code formatting)

* Documentation for per-instance l10n overwrites
2020-05-19 13:21:31 +01:00
Paul Tiedtke 85adaa44d8 docker: make settings fully configurable via env vars
Now every setting in the official Etherpad container will be configurable via
environment variables.
2020-04-21 04:44:56 +02:00
muxator 9882362e2e settings: clarify that null defaults are supported, using the syntax "${VAR_NAME}"
Using "${VAR_NAME:null}", instead, would define the literal string "null".
2020-04-21 04:44:56 +02:00
Sebastian Castro c6f5ced23c css: adds UI skin variants builder (only for colibris skin) 2020-04-19 03:03:44 +02:00
Sebastian Castro 709e5d2233 colibris: introduce skin variants, in order to customize the rendering
This provide a nice way to change the colors of main containers from settings file. See comment inside settings for how it works
2020-04-19 03:03:44 +02:00
muxator 5acbdb83e5 docker: allow to control import/export rate limiting parameters
The newly introduces environment variables are IMPORT_EXPORT_RATE_LIMIT_WINDOW
and IMPORT_EXPORT_MAX_REQ_PER_IP.
2020-04-14 03:36:13 +02:00
John McLear c9d55c81a3 import/export: always rate limit import and exports
This is a departure from previous versions, which did not limit import/export
requests. Now such requests are ALWAYS rate limited. The default is 10 requests
per IP each 90 seconds, and also applies to old instances upgraded to 1.8.3.

Administrators can tune the parameters via settings.importExportRateLimiting.
2020-04-14 03:36:13 +02:00
muxator f5d9b94ca1 docker: allow to control the maximum file size of an import via IMPORT_MAX_SIZE 2020-04-14 03:36:13 +02:00
John McLear f4418149cb import: introduce importMaxFileSize setting. Defaults to 50 MB
From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported
file will always be bounded.

The maximum allowed size can be configured via importMaxFileSize.
2020-04-14 03:36:13 +02:00
muxator 6cba0f1dc5 settings: "http://etherpad.org" -> "https://etherpad.org" in the default text of a pad 2020-04-09 03:54:46 +02:00
Paul Tiedtke 79406051fa Settings.js: support newlines in default values when using variable substitution
This allows, among other things, to correctly support the configuration of
defaultPadText in Docker via an environment variable.
2020-04-07 04:32:37 +02:00
John McLear fa3e4b146a settings: document the possibility of using Unix sockets
We have been supporting Unix sockets by ages, because express.listen()
(http://expressjs.com/en/4x/api.html#app.listen_path_callback) re-exposes
net.server.listen() (https://nodejs.org/api/net.html#net_server_listen), which
in turn supports Unix sockets.

The only remaining thing to do was documenting it.

Fixes #3312
2020-03-30 03:36:55 +02:00
muxator a817acbbcc security: when served over https, set the "secure" flag for "express_sid" and "language" cookie
The mechanism used for determining if the application is being served over SSL
is wrapped by the "express-session" library for "express_sid", and manual for
the "language" cookie, but it's very similar in both cases.

The "secure" flag is set if one of these is true:

1. we are directly serving Etherpad over SSL using the native nodejs
   functionality, via the "ssl" options in settings.json

2. Etherpad is being served in plaintext by nodejs, but we are using a reverse
   proxy for terminating the SSL for us;
   In this case, the user has to be instructed to properly set trustProxy: true
   in settings.json, and the information wheter the application is over SSL or
   not will be extracted from the X-Forwarded-Proto HTTP header.

Please note that this will not be compatible with applications being served over
http and https at the same time.

The change on webaccess.js amends 009b61b338, which did not work when the SSL
termination was performed by a reverse proxy.

Reference for automatic "express_sid" configuration:
https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure

Closes #3561.
2019-12-07 04:36:01 +01:00
muxator 30fd53f1fd docker: move docker/settings.json to /settings.json.docker 2019-11-08 23:50:50 +01:00