Commit graph

5421 commits

Author SHA1 Message Date
muxator
1b4b180e50 dependencies: upgrade npm 6.12.0 -> 6.12.1 2019-10-31 19:19:40 +01:00
Pierre Prinetti
801d519165 docker: Fix the comments about settings.json copy
The "conditional copy trick" was removed in #3644, but I failed to
update the corresponding comment.
2019-10-25 19:26:10 +02:00
translatewiki.net
0104c9f321 Localisation updates from https://translatewiki.net. 2019-10-24 21:55:12 +02:00
Pierre Prinetti
eea99fe507 docker: Run as unprivileged user
Processes in containers should not run as root.
This change creates an unprivileged user in the Docker container, and
runs the main process using that user.

References:
* https://en.wikipedia.org/wiki/Principle_of_least_privilege
* https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b
* https://www.twistlock.com/labs-blog/non-root-containers-kubernetes-cve-2019-11245-care/

Fixes https://github.com/ether/etherpad-lite/issues/3629
2019-10-24 11:29:19 +02:00
muxator
bf7c7241fc docker: base our image on 10-buster-slim instead of buster-slim
A Docker base image without version is a bit of a moving target. Buster-slim,
for example, is currently based on nodejs 12.

For now, let's base our official Docker image on nodejs 10 (an LTS, non at End
of Life, which we explicitly mention in the documentation).

Amends a9a3bf9bd2 and the corresponding PR #3646.
2019-10-22 22:47:40 +02:00
muxator
2e2aa05e52 dependencies: upgrade graceful-fs 4.1.15 -> 4.2.2
Without this, on nodejs 10 and 12 (and maybe 8, not tested), Etherpad failed to
start, throwing the following error:

  [2019-10-22 19:01:01.439] [ERROR] console - exception thrown: Maximum call stack size exceeded
  [2019-10-22 19:01:01.439] [INFO] console - RangeError: Maximum call stack size exceeded
      at Function.[Symbol.hasInstance] (<anonymous>)
      at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:194:14)
      at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:195:28)
      at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:195:28)
      at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:195:28)
      at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:195:28)
      at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:195:28)
      at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:195:28)
      at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:195:28)
      at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:195:28)

Fixes #3654.
2019-10-22 21:59:37 +02:00
translatewiki.net
f0eee78d31 Localisation updates from https://translatewiki.net. 2019-10-21 16:58:11 +02:00
muxator
55fb10c685 release: prepare for 1.8.0 2019-10-19 03:42:13 +02:00
muxator
8e6bca456f dependencies: upgrade npm 6.10.3 -> 6.12.0
This upgrade should be backward compatible, but still suffers form major
vulnerabilities in its https-proxy-agent transitive dependency (see
https://www.npmjs.com/advisories/1184).

Changelog:
- https://github.com/npm/cli/releases

6.12.0 (2019-10-08):
    Now npm ci runs prepare scripts for git dependencies, and respects the
    --no-optional argument. Warnings for engine mismatches are printed again.
    Various other fixes and cleanups.

    BUG FIXES
    890b245dc #252 ci: add dirPacker to options (@claudiahdz)
    f3299acd0 #257 npm.community#4792 warn message on engine mismatch
                   (@ruyadorno)
    bbc92fb8f #259 npm.community#10288 Fix figgyPudding error in npm token
                   (@benblank)
    70f54dcb5 #241 doctor: Make OK more consistent (@gemal)

    FEATURES
    ed993a29c #249 Add CI environment variables to user-agent (@isaacs)
    f6b0459a4 #248 Add option to save package-lock without formatting Adds a new
                   config --format-package-lock, which defaults to true.
                   (@bl00mber)

DEPENDENCIES
    0ca063c5d npm-lifecycle@3.1.4:
        fix: filter functions and undefined out of makeEnv (@isaacs)
    5df6b0ea2 libcipm@4.0.4:
        fix: pack git directories properly (@claudiahdz)
        respect no-optional argument (@cruzdanilo)
    7e04f728c tar@4.4.12
    5c380e5a3 stringify-package@1.0.1 (@isaacs)
    62f2ca692 node-gyp@5.0.5 (@isaacs)
    0ff0ea47a npm-install-checks@3.0.2 (@isaacs)
    f46edae94 hosted-git-info@2.8.5 (@isaacs)

TESTING
    44a2b036b #262 fix root-ownership race conditions in meta-test (@isaacs)

6.11.3 (2019-09-03):
    Fix npm ci regressions and npm outdated depth.

    BUG FIXES
    235ed1d28 #239 Don't override user specified depth in outdated. Restores
                   ability to update packages using --depth as suggested by npm audit. (@G-Rath)
    1fafb5151 #242 npm.community#9586 Revert "install: do not descend into
                   directory deps' child modules" (@isaacs)
    cebf542e6 #243 npm.community#9720 ci: pass appropriate configs for file/dir
                   modes (@isaacs)

    DEPENDENCIES
    e5fbb7ed1 read-cmd-shim@1.0.4 (@claudiahdz)
    23ce65616 npm-pick-manifest@3.0.2 (@claudiahdz)

6.11.2 (2019-08-22):
    Fix a recent Windows regression, and two long-standing Windows bugs. Also,
    get CI running on Windows, so these things are less likely in the future.

    DEPENDENCIES
    9778a1b87 cmd-shim@3.0.3: Fix regression where shims fail to preserve exit
              code (@isaacs)
    bf93e91d8 npm-package-arg@6.1.1: Properly handle git+file: urls on Windows
              when a drive letter is included. (@isaacs)

    BUGFIXES
    6cc4cc66f escape args properly on Windows Bash Despite being bash, Node.js
              running on windows git mingw bash still executes child processes
              using cmd.exe. As a result, arguments in this environment need to
              be escaped in the style of cmd.exe, not bash. (@isaacs)

    TESTS
    291aba7b8 make tests pass on Windows (@isaacs)
    fea3a023a travis: run tests on Windows as well (@isaacs)

6.11.1 (2019-08-20):
    Fix a regression for windows command shim syntax.

    37db29647 cmd-shim@3.0.2 (@isaacs)

v6.11.0 (2019-08-20):
    A few meaty bugfixes, and introducing peerDependenciesMeta.

    FEATURES
    a12341088 #224 Implements peerDependenciesMeta (@arcanis)
    2f3b79bba #234 add new forbidden 403 error code (@claudiahdz)

    BUGFIXES
    24acc9fc8 and 45772af0d #217 npm.community#8863 npm.community#9327 do not
              descend into directory deps' child modules, fix shrinkwrap files
              that inappropriately list child nodes of symlink packages (@isaacs
              and @salomvary)
    50cfe113d #229 fixed typo in semver doc (@gall0ws)
    e8fb2a1bd #231 Fix spelling mistakes in CHANGELOG-3.md (@XhmikosR)
    769d2e057 npm/uid-number#7 Better error on invalid --user/--group configs.
              This addresses the issue when people fail to install binary
              packages on Docker and other environments where there is no
              'nobody' user. (@isaacs)
    8b43c9624 nodejs/node#28987 npm.community#6032 npm.community#6658
              npm.community#6069 npm.community#9323 Fix the regression where
              random config values in a .npmrc file are not passed to lifecycle
              scripts, breaking build processes which rely on them. (@isaacs)
    8b85eaa47 save files with inferred ownership rather than relying on SUDO_UID
              and SUDO_GID. (@isaacs)
    b7f6e5f02 Infer ownership of shrinkwrap files (@isaacs)
    54b095d77 #235 Add spec to dist-tag remove function (@theberbie)

    DEPENDENCIES
    dc8f9e52f pacote@9.5.7: Infer the ownership of all unpacked files in
              node_modules, so that we never have user-owned files in root-owned
              folders, or root-owned files in user-owned folders. (@isaacs)
    bb33940c3 cmd-shim@3.0.0:
        9c93ac3 #2 npm#3380 Handle environment variables properly (@basbossink)
        2d277f8 #25 #36 #35 Fix 'no shebang' case by always providing $basedir
                in shell script (@igorklopov)
        adaf20b #26 Fix $* causing an error when arguments contain parentheses
                (@satazor)
        49f0c13 #30 Fix paths for MSYS/MINGW bash (@dscho)
        51a8af3 #34 Add proper support for PowerShell (@ExE-Boss)
        4c37e04 #10 Work around quoted batch file names (@isaacs)
    a4e279544 npm-lifecycle@3.1.3 (@isaacs):
        fail properly if uid-number raises an error
    7086a1809 libcipm@4.0.3 (@isaacs)
    8845141f9 read-package-json@2.1.0 (@isaacs)
    51c028215 bin-links@1.1.3 (@isaacs)
    534a5548c read-cmd-shim@1.0.3 (@isaacs)
    3038f2fd5 gentle-fs@2.2.1 (@isaacs)
    a609a1648 graceful-fs@4.2.2 (@isaacs)
    f0346f754 cacache@12.0.3 (@isaacs)
    ca9c615c8 npm-pick-manifest@3.0.0 (@isaacs)
    b417affbf pacote@9.5.8 (@isaacs)

    TESTS
    b6df0913c #228 Proper handing of /usr/bin/node lifecycle-path test (@olivr70)
    aaf98e88c npm-registry-mock@1.3.0 (@isaacs)
2019-10-20 01:47:01 +02:00
muxator
e83bb4211a dependencies: upgrade express-session 1.16.1 -> 1.17.0
This upgrade should be backward compatible.
Changelog:
- https://github.com/expressjs/session/blob/master/HISTORY.md

1.17.0 / 2019-10-10
    deps: cookie@0.4.0
        Add SameSite=None support
    deps: safe-buffer@5.2.0

1.16.2 / 2019-06-12
    Fix restoring cookie.originalMaxAge when store returns Date
    deps: parseurl@~1.3.3
2019-10-20 01:32:12 +02:00
muxator
2955a616bd dependencies: upgrade express 4.16.4 -> 4.17.1
This upgrade should be backward compatible.
Changelogs:
- https://expressjs.com/en/changelog/4x.html
- https://github.com/expressjs/express/blob/master/History.md#4171--2019-05-25

4.17.1 - Release date: 2019-05-25
The 4.17.1 patch release includes one bug fix:
    The change to the res.status() API has been reverted due to causing
    regressions in existing Express 4 applications.

4.17.0 - Release date: 2019-05-16
The 4.17.0 minor release includes bug fixes and some new features, including:

    The express.raw() and express.text() middleware have been added to provide
    request body parsing for more raw request payloads. This uses the
    expressjs/body-parser module module underneath, so apps that are currently
    requiring the module separately can switch to the built-in parsers.

    The res.cookie() API now supports the "none" value for the sameSite option.

    When the "trust proxy" setting is enabled, the req.hostname now supports
    multiple X-Forwarded-For headers in a request.

    Starting with this version, Express supports Node.js 10.x and 12.x.

    The res.sendFile() API now provides and more immediate and easier to
    understand error when a non-string is passed as the path argument.

    The res.status() API now provides and more immediate and easier to
    understand error when null or undefined is passed as the argument.
2019-10-20 01:29:26 +02:00
muxator
39aa368af9 dependencies: upgrade wd 1.11.3 -> 1.11.4
This is just a dev dependency.
2019-10-20 01:34:44 +02:00
muxator
529c4a314e windows: bump the node version included in the prebuilt package: 8.15.0 -> 10.16.3
Nodejs 8.x is going to be EOLed in a few months, and newer nodejs runtimes are
typically faster, a much needed benefit under Windows.

Closes #3652.
2019-10-20 03:16:01 +02:00
muxator
ce666f19bd windows: do not include dev dependencies in the prebuilt package
This makes the package smaller.

Before this change:
    added 981 packages from 1497 contributors [...]
    53M etherpad-lite-win.zip

After this change:
    added 734 packages from 1043 contributors [...]
    43M etherpad-lite-win.zip

Closes #3651.
2019-10-20 03:12:39 +02:00
muxator
283100db6b runtime: deprecate node 8.x. Require node >= 10.13.0 starting from Etherpad 1.8.3
Nodejs 8 will be EOLed on December 31th, 2019 (https://github.com/nodejs/Release).

This means any future Etherpad version released from 2020 on should require at
least the next LTS (10.13.0). Let's keep some margin and decide that the first
Etherpad version dropping node 8 compatibility will be 1.8.3.

Closes #3650.
2019-10-20 00:02:00 +02:00
muxator
1dd2004f1b security: since there is no dedicated security group, I take charge for now.
Disclosure of vulnerabilities should be handled by a dedicated, multi-person
group, which for now does not exist. I take charge (hopefully temporarily) of
being that point of contact for now.
2019-10-20 00:49:46 +02:00
muxator
decfdb6abe readme: language revision. Removed stale info.
Tried to simplify the document, to reduce unneded info, and to use a less
informal language.

For example, the introductory links describing git made sense 10 years ago.
Today they are not needed to understand what Etherpad is.
And mercurial was always better than git, anyways :)

The mailing list and the IRC channel seem pretty dead by now. Let's just
move everything to Github issues, which was the de facto situation anyways.

About the donation links: I am the maintainer, and I do not know the identity of
the owners of the donation links, so it is correct to remove them. The same was
done on the website three months ago:
https://github.com/ether/ether.github.com/commit/d4ef04605da5
2019-10-20 00:40:18 +02:00
muxator
312c72c364 formatting: bulk remove trailing whitespaces
Do not touch vendorized files (e.g. libraries that were imported from external
projects).

No functional changes.

Command:
    find . -name '*.<EXTENSION>' -type f -print0 | xargs -0 sed -i 's/[[:space:]]*$//'
2019-10-20 02:09:22 +02:00
muxator
24abd9ca07 formatting: dos2unix on admin.css
In preparation for next commit. I was not able to find other non-vendorized
files that were in DOS format and legitimately needed to be converted.

No functional changes.
2019-10-20 02:50:01 +02:00
muxator
fb4fdf8928 formatting: normalized line termination of start.bat
Its lines have to be in DOS format (CR/LF).
No functional changes.
2019-10-20 02:59:48 +02:00
muxator
f3a80e0eda package.json: reduced npm minimum version here, too (6.4.1 -> 5.5.1)
This should really have been part of 4f753809fe.
2019-10-20 01:06:34 +02:00
muxator
4f753809fe runtime: decrease minimum command-line npm version from 6.4 to 5.5
When nodejs 8.9.0 was released, its bundled npm version was 5.5.1 (see
https://nodejs.org/en/download/releases). It makes sense that we lover our
requirement to that version.

Please note that the npm version mentioned here does not refer to the npm
library installed as Etherpad dependency in node_modules via package.json
(which indeed is higher) but is merely the npm version used to bootstrap the
installation when running installDeps.sh.

This change amends 9d35d15ae3 and its planning issue - #3424 - which were too
strict.
2019-10-19 22:38:32 +02:00
Ray Bellis
fc661ee13a core: allow URL parameters and POST bodies to co-exist.
Node 8.14.0 prohibits HTTP headers that exceed 8 KB (source:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/#denial-of-service-with-large-http-headers-cve-2018-12121).

This patch allows for the parameters within the body of an HTTP POST request to
be used in addition to those within the URL (and will override them).

Closes #3568.

---
Muxator 2019-10-19:
- this commit was cherry-picked from 882b93487f
- it was modified to include the necessary changes in the documentation
2019-06-27 00:52:53 +02:00
Pierre Prinetti
6d9264cf3c docker: enable environment variables settings by default
By leveraging the templating mechanism in `settings.json`, this change allows a
Docker client to run a prebuilt image and change some basic configuration
settings, like the instance name or, more importantly, the database
coordinates.

By default, the image runs witho no administrative user enabled. If a value is
given to ADMIN_PASSWORD, the `admin` user will be activated.

Also closes https://github.com/ether/etherpad-lite/issues/3623

---
Modified by muxator to support conditional user activation at runtime.
2019-10-19 02:39:20 +02:00
muxator
7c099fef5e settings: do not create a user if he has no password field, or if his password is null.
This will be used by the settings.json in the default Dockerfile to eschew
creating an admin user when no password is set.

Closes #3648.
2019-10-19 00:54:56 +02:00
muxator
4e758a9f4a settings: better explain that no default value is very different from ''
If environment variable PASSW is not defined, the following would be very
different:

  "password": "${PASSW}"  // would result in password === null
  "password": "${PASSW:}" // would result in password === ''

This characteristic will be used in the next commit, when we will use it to
discard a user if his password were null (and in turn use it for docker
containerization).

No functional changes.
2019-10-19 00:34:00 +02:00
muxator
1cc6838772 settings: reformat settings.json.template, in preparation for next commits
No functional changes.
2019-10-10 20:25:34 +02:00
aaron-costello
5879037ddc security: support for clean & safe error handling on IE 11
Added pad_utils sanitization for clean and safe error handling on browsers that
do not encode the path of the URL.

Edited by muxator based on https://github.com/ether/etherpad-lite/pull/3647,
to be able to apply the patch on develop (the PR was for master), and perform
minor cleanups (mainly spurious statements).

Closes #3647.
2019-10-18 21:00:11 +01:00
translatewiki.net
c65c5f17aa Localisation updates from https://translatewiki.net. 2019-10-14 17:20:29 +02:00
Stefan Schwarz
070a5fd74f remove npm cache from image 2019-10-08 19:51:11 +02:00
Stefan Schwarz
a9a3bf9bd2 use buster slim 2019-10-08 19:51:11 +02:00
muxator
5eb60cef01 jQuery: update vendored version (1.9.1 -> 1.12.4)
The vendored jquery version was 1.9.1 from 2013-02-04. Let's replace it with the
most recent one from the 1.x branch (1.12.4 from 2016-05-20).

The modification in rjquery.js is needed because recent jQuery versions changed
their behaviour, and do not set themselves on the global window object.
See: https://github.com/parcel-bundler/parcel/issues/333#issuecomment-357882648

This will be the lastest jQuery 1.x version ever, because 1.x branch is
definitively EOLed (see https://github.com/jquery/jquery.com/issues/162).

This is a stopgap measure to get the latest security fixes. Going forward,
another strategy will be needed.

Closes #3640
2019-09-16 22:55:53 +02:00
translatewiki.net
b3d8f857b7 Localisation updates from https://translatewiki.net. 2019-09-16 18:48:33 +02:00
translatewiki.net
506f4775cc Localisation updates from https://translatewiki.net. 2019-09-12 15:55:45 +02:00
translatewiki.net
a98cfe33de Localisation updates from https://translatewiki.net. 2019-09-06 06:47:40 +02:00
Moritz Jordan
0a8e32563b Fix Unicode bug in HTML export 2019-08-12 00:41:17 +02:00
muxator
161a38efd2 dependencies: update wd, 1.11.1 -> 1.11.3
This is a dev dependency, so no real risks, but it's better not to scare users.

Previously reported vulnerabilities fixed by this change:

$ npm audit
                       === npm audit security report ===

# Run  npm install --save-dev wd@1.11.3  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ wd [dev]                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ wd > lodash                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1065                      │
└───────────────┴──────────────────────────────────────────────────────────────┘


# Run  npm update lodash --depth 3  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ wd [dev]                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ wd > async > lodash                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1065                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
2019-08-08 22:29:58 +02:00
muxator
d555b052cb dependencies: update npm, 6.4.1 -> 6.10.3
This was an arbitrary file overwrite vulnerability in tar. A fix in the library
was available, but npm and npm-lifecycle took a while to issue updated versions.

Resolves #3598.

Previously reported vulnerabilities fixed by this change:

$ npm audit
                       === npm audit security report ===

# Run  npm install npm@6.10.3  to resolve 9 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > libcipm > npm-lifecycle > node-gyp > tar               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/803                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > npm-lifecycle > node-gyp > tar                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/803                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > node-gyp > tar                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/803                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ fstream                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > libcipm > npm-lifecycle > node-gyp > fstream           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/886                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ fstream                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > npm-lifecycle > node-gyp > fstream                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/886                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ fstream                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > node-gyp > fstream                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/886                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ fstream                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > libcipm > npm-lifecycle > node-gyp > tar > fstream     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/886                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ fstream                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > npm-lifecycle > node-gyp > tar > fstream               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/886                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ fstream                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > node-gyp > tar > fstream                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/886                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
2019-08-08 22:17:53 +02:00
Richlv
2c9383b69e minor typo fix 2019-08-08 21:58:30 +02:00
Lars Olafsen
1789129b35 NODE_ENV controls run-time behaviour, thus needs to be set by ENV 2019-08-08 21:53:47 +02:00
translatewiki.net
df03257d9c Localisation updates from https://translatewiki.net. 2019-08-08 20:05:35 +02:00
translatewiki.net
ea0554d70f Localisation updates from https://translatewiki.net. 2019-08-05 12:02:28 +02:00
translatewiki.net
4e601dd03b Localisation updates from https://translatewiki.net. 2019-08-01 18:19:57 +02:00
translatewiki.net
1845e91909 Localisation updates from https://translatewiki.net. 2019-07-29 14:23:20 +02:00
muxator
4582f9daeb docker: support including plugins in custom builds.
This commit introduces the support for the ETHERPAD_PLUGINS build parameter,
which contains a list of plugins to be installed while building the container.

EXAMPLE:
  docker build --build-arg ETHERPAD_PLUGINS="ep_codepad ep_author_neat" --tag <YOUR_USERNAME>/etherpad .

Resolves #3618.
2019-07-16 14:14:34 +02:00
muxator
b5ac653cbc docker: reorganized the README, same infos
This is in preparation for the next commit, which will introduce support for
custom builds with plugins.
2019-07-16 14:14:34 +02:00
muxator
e8e2284884 docker: move WORKDIR as on top as possible.
WORKDIR is also valid at build time, thus it makes sense to move it as towards
the top as possible.
This will come in hand in the next commits, when we will introduce support for
installing plugins while building the container.

Source: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir

    [...] you should use WORKDIR instead of proliferating instructions like
         RUN cd … && do-something,
    which are hard to read, troubleshoot, and maintain.
2019-07-16 14:14:34 +02:00
translatewiki.net
832e63c691 Localisation updates from https://translatewiki.net. 2019-07-15 20:01:25 +02:00
translatewiki.net
09d89cd74a Localisation updates from https://translatewiki.net. 2019-07-11 17:21:48 +02:00
translatewiki.net
3d0778d9c9 Localisation updates from https://translatewiki.net. 2019-07-08 20:05:10 +02:00