Commit graph

5599 commits

Author SHA1 Message Date
muxator
0b0608d7d4 skins: use "colibris" as default, even when no settings.json is present
Starting with Etherpad 1.8.3 we decided to use Colibris as default skin for new
installs. Without this change, when starting with no settings.json file,
Etherpad would (wrongly) use "no-skin".

This change should have been part of 70bc71c0c3.
2020-04-19 02:58:35 +02:00
Sebastian Castro
8956efc4ae bin: add fastRun.sh script for developers
Useful for developers, or users that know what they are doing. If you just
upgraded Etherpad version, installed a new dependency, or are simply unsure of
what to do, then before running this script, please execute bin/installDeps.sh
once.

Fixes #3711 (partially)
2020-04-17 18:36:24 +02:00
translatewiki.net
b2aa0881af Localisation updates from https://translatewiki.net. 2020-04-16 17:06:58 +02:00
Christian Schröder
5537ef3950 test: fix settings loading in api/instance backend test
With commit 44186ed (tests: remove loadSettings.js for backend tests.)
the loading of the settings in backendtests changed. One test spec
was not updated.
2020-04-16 03:03:20 +02:00
Christian Schröder
f0fdb94eb0 PadMessageHandler: fix for scoping error hiding original error
`r` is undefined outside of the for loop, but used in the catch block of the try
statement
2020-04-16 02:58:47 +02:00
translatewiki.net
4ddcaefed2 Localisation updates from https://translatewiki.net. 2020-04-14 05:23:20 +02:00
muxator
5acbdb83e5 docker: allow to control import/export rate limiting parameters
The newly introduces environment variables are IMPORT_EXPORT_RATE_LIMIT_WINDOW
and IMPORT_EXPORT_MAX_REQ_PER_IP.
2020-04-14 03:36:13 +02:00
John McLear
c9d55c81a3 import/export: always rate limit import and exports
This is a departure from previous versions, which did not limit import/export
requests. Now such requests are ALWAYS rate limited. The default is 10 requests
per IP each 90 seconds, and also applies to old instances upgraded to 1.8.3.

Administrators can tune the parameters via settings.importExportRateLimiting.
2020-04-14 03:36:13 +02:00
John McLear
24ee37a38f import: do not allow importing into a pad from the web UI if the user is not on that pad
Importing to a pad is allowed only if an author has a session estabilished and
has already contributed to that specific pad. This means that as long as the
user is on the pad (via the browser) then import is possible.

Note that an author session is NOT the same as a group session, which is not
required.

This setting does not apply to API requests, only to /p/$PAD$/import

This change of behaviour is introduced in Etherpad 1.8.3, and cannot be
disabled.
2020-04-14 03:36:13 +02:00
muxator
f5d9b94ca1 docker: allow to control the maximum file size of an import via IMPORT_MAX_SIZE 2020-04-14 03:36:13 +02:00
John McLear
f4418149cb import: introduce importMaxFileSize setting. Defaults to 50 MB
From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported
file will always be bounded.

The maximum allowed size can be configured via importMaxFileSize.
2020-04-14 03:36:13 +02:00
muxator
d1ad29a3d1 importexport: improved logging
This is in preparation to the next activities about import/export securization.
2020-04-14 03:36:13 +02:00
muxator
44186edbc5 tests: remove loadSettings.js for backend tests.
The old loadSettings.js was a way of customizing settings upon load, because
the Settings module did not offer this functionality. But it did not work well,
since all the default settings were not loaded.

Let's get rid of loadSettings.js for the bulk of the tests (the "backend"
specs). For the "container" specs, we'll keep it in place until/if we rewrite
Settings.js making it less brittle.
2020-04-14 03:36:13 +02:00
muxator
419f17371c dependencies: upgrade openapi 2.4.0 -> 2.4.1 2020-04-14 03:05:39 +02:00
muxator
02211cb670 dependencies: updated package-lock.json
No changes at all on our side: this is the churn of all the transitive
dependencies that are not pinned, and bubble up here.
2020-04-14 03:04:22 +02:00
muxator
cd28643604 express: document the effect of settings.trustProxy 2020-04-14 01:10:19 +02:00
mathieu.brunot
5503ebdb94 github: Templates for Issues and PR
Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
2020-04-13 14:45:17 +02:00
mathieu.brunot
c3ed04f4ae README.md: Add Travis-CI badge to README
Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>

📝 Add Travis-CI badge to README

Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
2020-04-13 11:41:02 +02:00
muxator
83d72d27a4 scroll: replace absolute import with relative one
Fixing this will be useful when we'll want to get rid of require-kernel.

This was introduced by f1fcd16894 ("Add settings to scroll on edition out of
viewport") in 2018-01-03.
2020-04-09 21:09:40 +02:00
translatewiki.net
4699c3e22e Localisation updates from https://translatewiki.net. 2020-04-09 16:00:27 +02:00
muxator
684f374ece runtime: require node >= 10.13.0 LTS
At the moment, NodeJS 10.x is the lowest supported LTS version. NodeJS 8.x is no
longer supported upstream.

Implements #3835.
Planned in #3650.
2020-04-09 04:43:37 +02:00
muxator
6cba0f1dc5 settings: "http://etherpad.org" -> "https://etherpad.org" in the default text of a pad 2020-04-09 03:54:46 +02:00
Chocobozzz
963d12e614 PadManager: use a set instead of an array in padlist
Avoid looping on the array, especially useful if you have many pads.

--HG--
branch : padlist-use-set
2020-04-09 03:39:32 +02:00
Chocobozzz
94ff21e25c PadManager: anchor the addPad regex to the start of the string
This improves the performance a bit, and is more adherent to the logic of the
application.

--HG--
branch : padlist-use-set
2020-04-09 03:39:32 +02:00
Chocobozzz
8c4625ec50 tests: add tests for listAllPads() API call
--HG--
branch : padlist-use-set
2020-04-09 03:39:32 +02:00
Marcin Cieślak
df08883a00 SecurityManager: remove double quotes from session cookie content
Sometimes, RFC 6265-compliant [0] web servers may send back a cookie whose value
is enclosed in double quotes, such as:

    Set-Cookie: sessionCookie="s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"; Version=1; Path=/; Domain=localhost; Discard

Where the double quotes at the start and the end of the header value are just
delimiters. This is perfectly legal: Etherpad parsing logic should cope with
that, and remove the quotes early in the request phase.

Somehow, this does not happen, and in such cases the actual value that
sessionCookie ends up having is:

    sessionCookie = '"s.37cf5299fbf981e14121fba3a588c02b,s.2b21517bf50729d8130ab85736a11346"'

As quick measure, let's strip the double quotes (when present).
Note that here we are being minimal, limiting ourselves to just removing quotes
at the start and the end of the string.

Fixes #3819.
Also, see #3820.


[0] https://tools.ietf.org/html/rfc6265
2020-04-09 01:14:51 +02:00
John McLear
08b83ae358 LibreOffice: use "html:XHTML Writer File:UTF8" export method
This yields better conversion results, but requires the previous change,
otherwise there would have been difficulties in locating the temporary file
name.
2020-04-08 22:51:25 +02:00
John McLear
b2ccd0a191 LibreOffice: decouple the extension of the temporary file from its type
In the next commit, we are going to change the conversion method to
"html:XHTML Writer File:UTF8". Without this change, that conversion method name
would end up in the extension of the temporary file that is created as an
intermediate step. In this way, the file extensione will always stay ".html".

No functional changes, hopefully. Only the extension of the temporary file
should change.
2020-04-08 22:51:25 +02:00
John McLear
f6907c5fad contentcollector: remove weird stuff LibreOffice adds to DOM before importing 2020-04-08 22:51:25 +02:00
John McLear
a371deb9d1 ImportHandler: quick & dirty way of being more lax when matching <title>
This change is meant to ease using LibreOffice as converter. When LibreOffice
converts a file, it adds some classes to the <title> tag.
This is a quick & dirty way of matching the <title> and comment it out
independently on the classes that are set on it.
2020-04-08 22:51:25 +02:00
John McLear
babf67175c undomodule: disallow undoing "clear authorship colors"
Clearing the authorship colors of a document with at least two authors, and then
undoing that action caused a disconnect from the pad.
This change disallows undoing clearing authorship colors in order to prevent
the problem from affecting users, and adds the relative test coverage.

This is a change of behaviour, and is documented in the changelog.

Fixes #2802 (sidestepping it).
2020-04-08 15:20:37 +02:00
Paul Tiedtke
ffc718e8c0 docker: add support for arbitrary user ids (for OpenShift compatibility)
This solves a compatibility problem with OpenShift. In OpenShift security
model, the containers are run by arbitrary user ids, but the users are always
a member of the root group.

This PR adjusts the permissions accordingly.

Documentation reference:
https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#use-uid
2020-04-08 15:06:08 +02:00
Paul Tiedtke
79406051fa Settings.js: support newlines in default values when using variable substitution
This allows, among other things, to correctly support the configuration of
defaultPadText in Docker via an environment variable.
2020-04-07 04:32:37 +02:00
John McLear
3872690715
ace2_inner: remove Chrome specific hack
This code was specific for older Chrome versions. It can be simplified now.

Fixes #3487
2020-04-07 03:47:46 +02:00
John McLear
8987c5d813 dependencies: upgrade uglify-js 2.6.2 -> 3.8.1 and adapt Minify
This was a major update that required code changes.
2020-04-03 00:05:15 +00:00
muxator
a286f32c2a dependencies: remove object.values
This should have been part of 09949c242a ("node8: we no longer need to use a
shim for Object.values in stats.js")
2020-04-07 03:15:10 +02:00
muxator
a5ed0b524b dependencies: use fixed versions in package.json
We want to track dependencies as explicitly as possible.
2020-04-07 03:04:23 +02:00
Viljami Kuosmanen
3edd727a94 customError: rewrite the module using class syntax
The previous syntax caused a deprecation warning on Node 10.
However, due to the very old version of log4js Etherpad is currently using,
customError objects are going to be displayed as { inspect: [Function: inspect] }.

This needs to be addressed later, updating log4js.

Fixes #3834.
2020-04-07 02:03:17 +02:00
muxator
e6251687bf api: test coverage for getStats() 2020-04-04 22:03:46 +02:00
muxator
4ef59bbda0 api: in getStats(), directly rewrote activePads as an expression
Instead of creating an empty Set and then mutate it.
2020-04-04 22:03:46 +02:00
Chocobozzz
82b919fc65 api: add getStats() function 2020-04-04 22:03:46 +02:00
John McLear
eb45934788 remove noise 2020-04-03 11:32:14 +01:00
John McLear
4e212d12b2 patch fix for 3825 2020-04-03 11:32:14 +01:00
Chocobozzz
0889a1313d referer: do not send referrer when opening a link
This change augments what was already done in 54e0f2de5b20 (PR with discussion
at #3636).

For documentation about the meaning of "noopener, noreferrer", see:
https://developer.mozilla.org/en-US/docs/Web/API/Window/open#Window_functionality_features
2020-03-31 10:02:46 +02:00
John McLear
cdf5b63f26 use a deletePad approach that works when server is running and works with MySQL 2020-04-03 03:31:18 +02:00
John McLear
93180c287b
tests: in Travis, also run the backend tests
This change introduces automatic execution of the backend tests in Travis.

Implements #2351.
2020-04-03 03:27:05 +02:00
John McLear
c2ea2b3a6d webaccess: do not resave session
Before this change, the database was spammed with session values.
Modern express-session has this baked in.
See https://www.npmjs.com/package/express-session#resave for docs.
2020-04-03 02:55:33 +02:00
John McLear
1f0058dd6f interesting discovery RE 3612 and 2802 2020-04-03 02:40:59 +02:00
muxator
3a46e010ce dependencies: bump ueberdb2 0.4.3 -> 0.4.5
Original message from John McLear (PR #3817):
  We now include BINARY in the MySQL WHERE select clause.
  Test coverage might be desirable?

Fixes #2877
2020-04-03 01:27:49 +02:00
Viljami Kuosmanen
ccf406708e openapi: support standard http error codes
API errors are now handled at the end of the request heap by
throwing exceptions from the handler
2020-04-03 01:03:11 +02:00