pad.pub0.org/CHANGELOG.md

47 KiB

Next Release

Security fixes

  • Fixed leak of the writable pad ID when exporting from the pad's read-only ID. This only matters if you treat the writeable pad IDs as secret (e.g., you are not using ep_padlist2) and you share the pad's read-only ID with untrusted users. Instead of treating writeable pad IDs as secret, you are encouraged to take advantage of Etherpad's authentication and authorization mechanisms (e.g., use ep_openid_connect with ep_readonly_guest, or write your own authentication and authorization plugins).

Compatibility changes

  • The logconfig setting is deprecated.
  • For plugin authors:
    • Etherpad now uses jsdom instead of cheerio for processing HTML imports. There are two consequences of this change:
      • require('ep_etherpad-lite/node_modules/cheerio') no longer works. To fix, your plugin should directly depend on cheerio and do require('cheerio').
      • The node context argument passed to the collectContentImage hook is now an HTMLImageElement object rather than a Cheerio Node-like object, so the API is slightly different. See citizenos/ep_image_upload#49 for an example fix.

Notable enhancements

  • For plugin authors:
    • clientVars was added to the context for the postAceInit client-side hook. Plugins should use this instead of the clientVars global variable.

1.8.14

Security fixes

  • Fixed a persistent XSS vulnerability in the Chat component. In case you can't update to 1.8.14 directly, we strongly recommend to cherry-pick a796811558. Thanks to sonarsource for the professional disclosure.

Compatibility changes

  • Node.js v12.13.0 or later is now required.
  • The favicon setting is now interpreted as a pathname to a favicon file, not a URL. Please see the documentation comment in settings.json.template.
  • The undocumented faviconPad and faviconTimeslider settings have been removed.
  • MySQL/MariaDB now uses connection pooling, which means you will see up to 10 connections to the MySQL/MariaDB server (by default) instead of 1. This might cause Etherpad to crash with a "ER_CON_COUNT_ERROR: Too many connections" error if your server is configured with a low connection limit.
  • Changes to environment variable substitution in settings.json (see the documentation comments in settings.json.template for details):
    • An environment variable set to the string "null" now becomes null instead of the string "null". Similarly, if the environment variable is unset and the default value is "null" (e.g., "${UNSET_VAR:null}"), the value now becomes null instead of the string "null". It is no longer possible to produce the string "null" via environment variable substitution.
    • An environment variable set to the string "undefined" now causes the setting to be removed instead of set to the string "undefined". Similarly, if the environment variable is unset and the default value is "undefined" (e.g., "${UNSET_VAR:undefined}"), the setting is now removed instead of set to the string "undefined". It is no longer possible to produce the string "undefined" via environment variable substitution.
    • Support for unset variables without a default value is now deprecated. Please change all instances of "${FOO}" in your settings.json to ${FOO:null} to keep the current behavior.
    • The DB_* variable substitutions in settings.json.docker that previously defaulted to null now default to "undefined".
  • Calling next without argument when using Changeset.opIterator does always return a new Op. See b9753dcc71 for details.

Notable enhancements and fixes

  • MySQL/MariaDB now uses connection pooling, which should improve stability and reduce latency.
  • Bulk database writes are now retried individually on write failure.
  • Minify: Avoid crash due to unhandled Promise rejection if stat fails.
  • padIds are now included in /socket.io query string, e.g. https://video.etherpad.com/socket.io/?padId=AWESOME&EIO=3&transport=websocket&t=...&sid=.... This is useful for directing pads to separate socket.io nodes.