John McLear
2a28ff8526
Changelog ( #4181 )
2020-07-19 23:48:31 +01:00
John McLear
e22574c40f
Changelog
2020-06-10 15:43:09 +01:00
muxator
4365598658
release: prepare for 1.8.4
2020-05-15 02:09:18 +02:00
muxator
5e6af287a5
release: prepare for 1.8.3
2020-04-27 03:24:23 +02:00
muxator
684f374ece
runtime: require node >= 10.13.0 LTS
...
At the moment, NodeJS 10.x is the lowest supported LTS version. NodeJS 8.x is no
longer supported upstream.
Implements #3835 .
Planned in #3650 .
2020-04-09 04:43:37 +02:00
John McLear
babf67175c
undomodule: disallow undoing "clear authorship colors"
...
Clearing the authorship colors of a document with at least two authors, and then
undoing that action caused a disconnect from the pad.
This change disallows undoing clearing authorship colors in order to prevent
the problem from affecting users, and adds the relative test coverage.
This is a change of behaviour, and is documented in the changelog.
Fixes #2802 (sidestepping it).
2020-04-08 15:20:37 +02:00
muxator
a817acbbcc
security: when served over https, set the "secure" flag for "express_sid" and "language" cookie
...
The mechanism used for determining if the application is being served over SSL
is wrapped by the "express-session" library for "express_sid", and manual for
the "language" cookie, but it's very similar in both cases.
The "secure" flag is set if one of these is true:
1. we are directly serving Etherpad over SSL using the native nodejs
functionality, via the "ssl" options in settings.json
2. Etherpad is being served in plaintext by nodejs, but we are using a reverse
proxy for terminating the SSL for us;
In this case, the user has to be instructed to properly set trustProxy: true
in settings.json, and the information wheter the application is over SSL or
not will be extracted from the X-Forwarded-Proto HTTP header.
Please note that this will not be compatible with applications being served over
http and https at the same time.
The change on webaccess.js amends 009b61b338
, which did not work when the SSL
termination was performed by a reverse proxy.
Reference for automatic "express_sid" configuration:
https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure
Closes #3561 .
2019-12-07 04:36:01 +01:00
ahmadine
0a0b90c4d0
referer: change referrer policy. Stop sending referers as much as possible
...
Pull request with discussion: https://github.com/ether/etherpad-lite/pull/3636
What's already there:
* `meta name=referrer`: already done in 1.6.1:
https://github.com/ether/etherpad-lite/pull/3044
https://caniuse.com/#feat=referrer-policy
https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta
(Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1])
The previous two commits (by @joelpurra) I backported in this batch:
* `<a rel=noreferrer>`: a pull request denied before:
https://github.com/ether/etherpad-lite/pull/2498
https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types
(Firefox>=37, I can't find more info about support)
This commit adds the following:
* `<a rel="noopener">`: fixing a not-so-well-known way to extract referer
https://html.spec.whatwg.org/multipage/links.html#link-type-noopener
(Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge)
* `Referrer-Policy: same-origin`: the last bastion of referrer security
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
(Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge)
meta name=referrer wasn't enough. I happened to leak a few referrers with my
Firefox browser, though for some browsers it could have been enough.
[1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it
most probably incompatible (but I may be wrong on that, they may support
both, but I have no way to test it currently). The next Edge release will be
based on Chromium, so for that the Chrome version applies.
2019-11-25 00:05:40 +01:00
muxator
7e44dc569b
changelog: mention the conditional user creation feature (now that it's fixed)
2019-11-02 23:37:59 +01:00
muxator
4f53b35bcb
changelog: reflect the fact that next release will be 1.8-beta.1
...
This change should have been part of 84479851fe
.
2019-11-02 23:37:01 +01:00
muxator
55fb10c685
release: prepare for 1.8.0
2019-10-19 03:42:13 +02:00
muxator
705cc6f5e4
Change everywhere the link to https://etherpad.org (it was plain http)
2019-04-16 00:54:54 +02:00
muxator
a6656102d8
CHANGELOG.md: link to https://translatewiki.net instead of plain http
2019-04-16 00:53:00 +02:00
muxator
4f0a2785da
release: prepare for 1.7.5
...
Written the changelog and updated package.json.
2019-01-26 00:16:03 +01:00
muxator
4408a1e505
release: prepare for 1.7.0
...
Written the changelog and updated package.json.
From now on, releases will be cut from develop, and merged directly into master.
Each release will be a tag on the master branch (e.g. 1.7.0).
A "release/1.7.0" branch will eventually be created only if/when a hotfix will
be needed.
2018-08-17 00:18:31 +02:00
muxator
60c1036ecb
changelog: put <ol> in backticks
...
Github's Markdown renderer broke the layout of the readme file.
Putting `<ol>` in backticks keeps it happy.
2018-07-20 12:33:45 +02:00
muxator
bfec44e346
Release version 1.6.6
2018-05-05 00:53:59 +02:00
muxator
e13ae0aec5
changelog: better specified CVE description
...
Previous commit was wrong.
Fixes #3372 , really.
2018-05-04 23:24:58 +02:00
muxator
10d555bc91
changelog: better specified CVE description
...
fixes #3372
2018-05-04 23:15:22 +02:00
muxator
3eb3e301a2
manually updated CHANGELOG.md
...
due to createRelease.sh not catching an error from sed and continuing:
sed: -e expression #1 , char 66: unterminated `s' command
2018-04-10 00:50:28 +02:00
John McLear
0132f4d1da
Include CVE #
2018-04-07 10:13:09 +01:00
John McLear
c34350f307
Beginning to make release
2018-04-07 09:22:13 +01:00
Stefan
1e25e7fc77
Release version 1.6.3
2018-02-03 12:57:22 +01:00
Stefan (Gared)
e84c696225
Updated CHANGELOG.md
2017-11-04 17:38:59 +01:00
Jonah Duckles
fcde66050e
Fix markdown H1
2017-05-30 13:34:07 +12:00
Stefan
9f51432175
Update CHANGELOG.md
2016-12-23 22:12:18 +01:00
Stefan
5ed9f2736a
Add version 1.6.0 changelogs
2016-04-24 21:32:21 +02:00
Stefan
6fae670476
Release version 1.5.7 (changelog)
2015-08-05 19:25:11 +02:00
Stefan
2393ea01f0
Release version 1.5.6
2015-04-16 23:06:24 +02:00
Stefan
64d94cb346
Release version 1.5.5
2015-04-13 17:27:14 +02:00
Stefan
1b9a51c879
Release version 1.5.4
2015-04-11 10:19:02 +02:00
John McLear
fc60ddded1
changelog
2015-04-10 22:23:07 +01:00
Stefan
c0260bcc40
Add changelog for v1.5.2
2015-03-15 14:28:47 +01:00
Stefan
c80a64a379
Update CHANGELOG.md
2015-01-24 19:24:20 +01:00
John McLear
af7cd91a82
formatting
2015-01-24 15:14:19 +00:00
John McLear
e41b3ae0a3
updated CL
2015-01-24 15:13:26 +00:00
John McLear
95af55992a
changelog
2015-01-01 17:13:50 +00:00
John McLear
2530bf0a86
add changelog and bump v number
2014-09-06 17:25:09 +01:00
John McLear
e23af7e439
changelog, package file and fix for redo
2014-03-26 15:44:04 +00:00
Marcel Klehr
e8c69a5474
Update changelog and bump version
2013-10-21 20:18:16 +02:00
Marcel Klehr
b9cc91e6ad
Update CHANGELOG
2013-10-12 20:35:23 +02:00
Marcel Klehr
74bc2bd761
Prepare release
2013-10-12 14:16:06 +02:00
John McLear
ba1a5da76d
bump and changelog
2013-06-24 13:35:17 +01:00
John McLear
4989f56673
undo avoid changeset spam as it breaks functionality
2013-04-15 14:36:25 +01:00
John McLear
2c8699506d
push express back as it breaks sessions
2013-04-15 12:21:10 +01:00
John McLear
b137f301e2
MAGIQ
2013-04-11 18:34:40 +01:00
John McLear
f4123d2904
bump v and readme
2013-04-11 17:04:54 +01:00
John McLear
35d84144db
changelog and package file
2013-04-04 00:59:51 +01:00
John McLear
af80e37ac7
missed this one..
2013-03-23 15:03:56 +00:00
John McLear
ab2e805aa0
changelog
2013-03-23 14:50:00 +00:00