Commit Graph

138 Commits (f22fb13d89fdbf68c5f6cde77d66ae57119e8881)

Author SHA1 Message Date
Richard Hansen 2301c6ec83 pad: Don't throw on socket.io error 2021-02-11 17:25:09 +00:00
John McLear 5d96cf9754
changelog 1.8.8 (#4725)
* changelog 1.8.8

* for squash: refine changelog

Co-authored-by: Richard Hansen <rhansen@rhansen.org>
2021-02-07 22:24:19 +00:00
John McLear 2ea8ea1275 restructure: move bin/ and tests/ to src/
Also add symlinks from the old `bin/` and `tests/` locations to avoid
breaking scripts and other tools.

Motivations:

  * Scripts and tests no longer have to do dubious things like:

        require('ep_etherpad-lite/node_modules/foo')

    to access packages installed as dependencies in
    `src/package.json`.

  * Plugins can access the backend test helper library in a non-hacky
    way:

        require('ep_etherpad-lite/tests/backend/common')

  * We can delete the top-level `package.json` without breaking our
    ability to lint the files in `bin/` and `tests/`.

    Deleting the top-level `package.json` has downsides: It will cause
    `npm` to print warnings whenever plugins are installed, npm will
    no longer be able to enforce a plugin's peer dependency on
    ep_etherpad-lite, and npm will keep deleting the
    `node_modules/ep_etherpad-lite` symlink that points to `../src`.

    But there are significant upsides to deleting the top-level
    `package.json`: It will drastically speed up plugin installation
    because `npm` doesn't have to recursively walk the dependencies in
    `src/package.json`. Also, deleting the top-level `package.json`
    avoids npm's horrible dependency hoisting behavior (where it moves
    stuff from `src/node_modules/` to the top-level `node_modules/`
    directory). Dependency hoisting causes numerous mysterious
    problems such as silent failures in `npm outdated` and `npm
    update`. Dependency hoisting also breaks plugins that do:

        require('ep_etherpad-lite/node_modules/foo')
2021-02-04 17:15:08 -05:00
freddii ea202e41f6 docs: fixed typos 2021-02-03 00:30:07 +01:00
John McLear 0cc8405e9c Bump minimum required Node.js version to 10.17.0
This makes it possible to use fs.promises.
2021-01-30 17:00:40 -05:00
Richard Hansen edbe6d5387 Bump ueberDB to get speed improvements 2021-01-11 09:23:08 +00:00
Richard Hansen a55dd73f2b Typo fix: `checkPlugins.js` -> `checkPlugin.js` 2021-01-08 19:02:55 -05:00
John McLear 998c80607e changelog: updated changelog 2020-12-23 16:18:28 -05:00
Richard Hansen b82bf5c726 Drop support for Internet Explorer 2020-12-19 19:13:31 +00:00
Richard Hansen 1ad9b1efbb Update `CHANGELOG.md`
Add new entries and refine wording/formatting of existing entries.
2020-11-10 07:22:22 +00:00
John McLear 89667f1d4f
update changelog for release (#4475) 2020-11-08 10:03:22 +00:00
John McLear 66df0a572f
Security: FEATURE REMOVAL: Remove all plain text password logic and ui (#4178)
This will be a breaking change for some people.  

We removed all internal password control logic.  If this affects you, you have two options:

1. Use a plugin for authentication and use session based pad access (recommended).
1. Use a plugin for password setting.

The reasoning for removing this feature is to reduce the overall security footprint of Etherpad.  It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own).
2020-10-07 13:43:54 +01:00
Richard Hansen 34b232d658
Update `CHANGELOG.md` with the changes so far (#4393) 2020-10-06 09:16:21 +02:00
Richard Hansen df7fa1fd41
changelog: Mention fix for authz bypass vulnerability in 1.8.6 (#4318) 2020-09-20 19:21:46 +00:00
Stefan Mueller 299bd962b6 Update version to 1.8.6 and add changelog informations 2020-09-18 21:14:19 +02:00
Stefan Mueller 5e03a3b0fe Set changelog informations for new version 2020-09-08 22:10:27 +02:00
John McLear 2a28ff8526
Changelog (#4181) 2020-07-19 23:48:31 +01:00
John McLear e22574c40f
Changelog 2020-06-10 15:43:09 +01:00
muxator 4365598658 release: prepare for 1.8.4 2020-05-15 02:09:18 +02:00
muxator 5e6af287a5 release: prepare for 1.8.3 2020-04-27 03:24:23 +02:00
muxator 684f374ece runtime: require node >= 10.13.0 LTS
At the moment, NodeJS 10.x is the lowest supported LTS version. NodeJS 8.x is no
longer supported upstream.

Implements #3835.
Planned in #3650.
2020-04-09 04:43:37 +02:00
John McLear babf67175c undomodule: disallow undoing "clear authorship colors"
Clearing the authorship colors of a document with at least two authors, and then
undoing that action caused a disconnect from the pad.
This change disallows undoing clearing authorship colors in order to prevent
the problem from affecting users, and adds the relative test coverage.

This is a change of behaviour, and is documented in the changelog.

Fixes #2802 (sidestepping it).
2020-04-08 15:20:37 +02:00
muxator a817acbbcc security: when served over https, set the "secure" flag for "express_sid" and "language" cookie
The mechanism used for determining if the application is being served over SSL
is wrapped by the "express-session" library for "express_sid", and manual for
the "language" cookie, but it's very similar in both cases.

The "secure" flag is set if one of these is true:

1. we are directly serving Etherpad over SSL using the native nodejs
   functionality, via the "ssl" options in settings.json

2. Etherpad is being served in plaintext by nodejs, but we are using a reverse
   proxy for terminating the SSL for us;
   In this case, the user has to be instructed to properly set trustProxy: true
   in settings.json, and the information wheter the application is over SSL or
   not will be extracted from the X-Forwarded-Proto HTTP header.

Please note that this will not be compatible with applications being served over
http and https at the same time.

The change on webaccess.js amends 009b61b338, which did not work when the SSL
termination was performed by a reverse proxy.

Reference for automatic "express_sid" configuration:
https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure

Closes #3561.
2019-12-07 04:36:01 +01:00
ahmadine 0a0b90c4d0 referer: change referrer policy. Stop sending referers as much as possible
Pull request with discussion: https://github.com/ether/etherpad-lite/pull/3636

What's already there:
* `meta name=referrer`: already done in 1.6.1:
  https://github.com/ether/etherpad-lite/pull/3044

  https://caniuse.com/#feat=referrer-policy
  https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta
  (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1])

The previous two commits (by @joelpurra) I backported in this batch:
* `<a rel=noreferrer>`: a pull request denied before:
  https://github.com/ether/etherpad-lite/pull/2498

  https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
  https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types
  (Firefox>=37, I can't find more info about support)

This commit adds the following:
* `<a rel="noopener">`: fixing a not-so-well-known way to extract referer
  https://html.spec.whatwg.org/multipage/links.html#link-type-noopener
  (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge)

* `Referrer-Policy: same-origin`: the last bastion of referrer security
  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
  (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge)

meta name=referrer wasn't enough. I happened to leak a few referrers with my
Firefox browser, though for some browsers it could have been enough.

[1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it
    most probably incompatible (but I may be wrong on that, they may support
    both, but I have no way to test it currently). The next Edge release will be
    based on Chromium, so for that the Chrome version applies.
2019-11-25 00:05:40 +01:00
muxator 7e44dc569b changelog: mention the conditional user creation feature (now that it's fixed) 2019-11-02 23:37:59 +01:00
muxator 4f53b35bcb changelog: reflect the fact that next release will be 1.8-beta.1
This change should have been part of 84479851fe.
2019-11-02 23:37:01 +01:00
muxator 55fb10c685 release: prepare for 1.8.0 2019-10-19 03:42:13 +02:00
muxator 705cc6f5e4 Change everywhere the link to https://etherpad.org (it was plain http) 2019-04-16 00:54:54 +02:00
muxator a6656102d8 CHANGELOG.md: link to https://translatewiki.net instead of plain http 2019-04-16 00:53:00 +02:00
muxator 4f0a2785da release: prepare for 1.7.5
Written the changelog and updated package.json.
2019-01-26 00:16:03 +01:00
muxator 4408a1e505 release: prepare for 1.7.0
Written the changelog and updated package.json.

From now on, releases will be cut from develop, and merged directly into master.

Each release will be a tag on the master branch (e.g. 1.7.0).
A "release/1.7.0" branch will eventually be created only if/when a hotfix will
be needed.
2018-08-17 00:18:31 +02:00
muxator 60c1036ecb
changelog: put <ol> in backticks
Github's Markdown renderer broke the layout of the readme file.
Putting `<ol>` in backticks keeps it happy.
2018-07-20 12:33:45 +02:00
muxator bfec44e346 Release version 1.6.6 2018-05-05 00:53:59 +02:00
muxator e13ae0aec5 changelog: better specified CVE description
Previous commit was wrong.
Fixes #3372, really.
2018-05-04 23:24:58 +02:00
muxator 10d555bc91 changelog: better specified CVE description
fixes #3372
2018-05-04 23:15:22 +02:00
muxator 3eb3e301a2 manually updated CHANGELOG.md
due to createRelease.sh not catching an error from sed and continuing:
   sed: -e expression #1, char 66: unterminated `s' command
2018-04-10 00:50:28 +02:00
John McLear 0132f4d1da Include CVE # 2018-04-07 10:13:09 +01:00
John McLear c34350f307 Beginning to make release 2018-04-07 09:22:13 +01:00
Stefan 1e25e7fc77 Release version 1.6.3 2018-02-03 12:57:22 +01:00
Stefan (Gared) e84c696225 Updated CHANGELOG.md 2017-11-04 17:38:59 +01:00
Jonah Duckles fcde66050e Fix markdown H1 2017-05-30 13:34:07 +12:00
Stefan 9f51432175 Update CHANGELOG.md 2016-12-23 22:12:18 +01:00
Stefan 5ed9f2736a Add version 1.6.0 changelogs 2016-04-24 21:32:21 +02:00
Stefan 6fae670476 Release version 1.5.7 (changelog) 2015-08-05 19:25:11 +02:00
Stefan 2393ea01f0 Release version 1.5.6 2015-04-16 23:06:24 +02:00
Stefan 64d94cb346 Release version 1.5.5 2015-04-13 17:27:14 +02:00
Stefan 1b9a51c879 Release version 1.5.4 2015-04-11 10:19:02 +02:00
John McLear fc60ddded1 changelog 2015-04-10 22:23:07 +01:00
Stefan c0260bcc40 Add changelog for v1.5.2 2015-03-15 14:28:47 +01:00
Stefan c80a64a379 Update CHANGELOG.md 2015-01-24 19:24:20 +01:00
John McLear af7cd91a82 formatting 2015-01-24 15:14:19 +00:00
John McLear e41b3ae0a3 updated CL 2015-01-24 15:13:26 +00:00
John McLear 95af55992a changelog 2015-01-01 17:13:50 +00:00
John McLear 2530bf0a86 add changelog and bump v number 2014-09-06 17:25:09 +01:00
John McLear e23af7e439 changelog, package file and fix for redo 2014-03-26 15:44:04 +00:00
Marcel Klehr e8c69a5474 Update changelog and bump version 2013-10-21 20:18:16 +02:00
Marcel Klehr b9cc91e6ad Update CHANGELOG 2013-10-12 20:35:23 +02:00
Marcel Klehr 74bc2bd761 Prepare release 2013-10-12 14:16:06 +02:00
John McLear ba1a5da76d bump and changelog 2013-06-24 13:35:17 +01:00
John McLear 4989f56673 undo avoid changeset spam as it breaks functionality 2013-04-15 14:36:25 +01:00
John McLear 2c8699506d push express back as it breaks sessions 2013-04-15 12:21:10 +01:00
John McLear b137f301e2 MAGIQ 2013-04-11 18:34:40 +01:00
John McLear f4123d2904 bump v and readme 2013-04-11 17:04:54 +01:00
John McLear 35d84144db changelog and package file 2013-04-04 00:59:51 +01:00
John McLear af80e37ac7 missed this one.. 2013-03-23 15:03:56 +00:00
John McLear ab2e805aa0 changelog 2013-03-23 14:50:00 +00:00
Marcel Klehr 54433db47f release v1.2.9 2013-03-15 21:43:29 +01:00
John McLear 0c9214bb27 bump v and changelog 2013-03-06 15:08:27 +00:00
John McLear 7f9a51e614 changelog 2013-03-05 13:33:09 +00:00
John McLear c37875e09a update changelog 2013-02-18 19:33:31 +00:00
John McLear fb97920163 update changelog 2013-02-18 19:32:07 +00:00
John McLear 3325aa8468 bit of info about deps 2013-02-10 21:15:00 +00:00
John McLear d7992a1366 begin putting files together for a release 2013-02-10 21:13:51 +00:00
John McLear 594d53ee8b changelog and package file 2013-01-30 14:58:23 +00:00
John McLear 10c2ac2a69 have a nice changelog makes it easier for when we release 2013-01-28 21:52:14 +00:00
John McLear 4b5d993f0d bump v and create CHANGELOG 2013-01-20 13:45:16 +00:00
John McLear 292db5fc44 prepare for release 2013-01-18 13:29:43 +00:00
John McLear fadfa6772e changelog and package file 2013-01-07 19:31:29 +00:00
Marcel Klehr 53459fe160 release v1.2.3 2012-12-31 15:57:16 +01:00
John McLear b681359dfa bump version # in package and update CHANGELOG 2012-12-27 20:09:14 +00:00
johnyma22 a75d17f55a More stuff into changelog 2012-11-21 18:48:33 +00:00
johnyma22 064051a30d Bump stuff to 1.2.1 2012-11-21 18:20:54 +00:00
Marcel Klehr 6d2391dba6 Fix version number in changelog and package.json 2012-11-14 22:02:40 +01:00
johnyma22 6ede651813 v1.2 news into changelog 2012-11-14 19:30:46 +00:00
Marcel Klehr 9cec0391e2 Improve changelog v1.1.5 2012-10-31 16:15:12 +01:00
johnyma22 de1c271776 CHANGELOG stuff 2012-10-30 13:54:49 +00:00
John McLear afb868fd2b Update CHANGELOG.md 2012-05-30 00:20:03 +02:00
Peter 'Pita' Martischka 7e4bba0e31 started a changelog 2011-08-23 18:59:32 +01:00