Richard Hansen b80a37173e security: Fix authorization bypass vulnerability ... Before, a malicious user could bypass authorization restrictions imposed by the authorize hook: * Step 1: Fetch any resource that the malicious user is authorized to access (e.g., static content). * Step 2: Use the signed express_sid cookie generated in step 1 to create a socket.io connection. * Step 3: Perform the CLIENT_READY handshake for the desired pad. * Step 4: Profit! Now the authorization decision made by the authorize hook is propagated to SecurityManager so that it can approve or reject socket.io messages as appropriate. This also sets up future support for per-user read-only and modify-only (no create) authorization levels.		2020-09-15 21:40:25 +01:00
..
api	security: Fix authorization bypass vulnerability	2020-09-15 21:40:25 +01:00
assets	docs: basic styles for tables	2020-05-03 21:56:28 +02:00
easysync	easysync-full-description: regenerate the pdf document	2018-12-09 15:56:17 +01:00
images	README.md: losslessly reduce the size of the PNG images	2020-04-23 22:29:58 +02:00
cookies.md	docs: also mention the infos we have about sessionID cookie	2020-04-24 03:06:13 +02:00
database.md	doc: passwordHash does not contain a bcrypted password, but a salted sha512 sum	2018-11-05 22:45:00 +01:00
docker.md	doc: in the Docker example with custom plugins, replace ep_codepad -> ep_comments_page	2020-05-13 23:16:51 +02:00
documentation.md	Typos and minor fixes in bin, doc, and root	2017-09-14 13:33:27 +02:00
index.md	docs: add cookies section	2020-04-24 03:06:13 +02:00
localization.md	Fix doc typo (#4187)	2020-07-21 13:22:31 +01:00
plugins.md	runtime: require node >= 10.13.0 LTS	2020-04-09 04:43:37 +02:00
skins.md	release: prepare for 1.7.5	2019-01-26 00:16:03 +01:00
stats.md	docs: direct link to measured.Collection from stats.md	2018-08-14 13:27:31 +02:00
template.html	‘Etherpad Lite’ -> ‘Etherpad’	2013-09-29 13:57:37 +02:00