Commit graph

66 commits

Author SHA1 Message Date
muxator
a817acbbcc security: when served over https, set the "secure" flag for "express_sid" and "language" cookie
The mechanism used for determining if the application is being served over SSL
is wrapped by the "express-session" library for "express_sid", and manual for
the "language" cookie, but it's very similar in both cases.

The "secure" flag is set if one of these is true:

1. we are directly serving Etherpad over SSL using the native nodejs
   functionality, via the "ssl" options in settings.json

2. Etherpad is being served in plaintext by nodejs, but we are using a reverse
   proxy for terminating the SSL for us;
   In this case, the user has to be instructed to properly set trustProxy: true
   in settings.json, and the information wheter the application is over SSL or
   not will be extracted from the X-Forwarded-Proto HTTP header.

Please note that this will not be compatible with applications being served over
http and https at the same time.

The change on webaccess.js amends 009b61b338, which did not work when the SSL
termination was performed by a reverse proxy.

Reference for automatic "express_sid" configuration:
https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure

Closes #3561.
2019-12-07 04:36:01 +01:00
ahmadine
0a0b90c4d0 referer: change referrer policy. Stop sending referers as much as possible
Pull request with discussion: https://github.com/ether/etherpad-lite/pull/3636

What's already there:
* `meta name=referrer`: already done in 1.6.1:
  https://github.com/ether/etherpad-lite/pull/3044

  https://caniuse.com/#feat=referrer-policy
  https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta
  (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1])

The previous two commits (by @joelpurra) I backported in this batch:
* `<a rel=noreferrer>`: a pull request denied before:
  https://github.com/ether/etherpad-lite/pull/2498

  https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
  https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types
  (Firefox>=37, I can't find more info about support)

This commit adds the following:
* `<a rel="noopener">`: fixing a not-so-well-known way to extract referer
  https://html.spec.whatwg.org/multipage/links.html#link-type-noopener
  (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge)

* `Referrer-Policy: same-origin`: the last bastion of referrer security
  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
  (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge)

meta name=referrer wasn't enough. I happened to leak a few referrers with my
Firefox browser, though for some browsers it could have been enough.

[1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it
    most probably incompatible (but I may be wrong on that, they may support
    both, but I have no way to test it currently). The next Edge release will be
    based on Chromium, so for that the Chrome version applies.
2019-11-25 00:05:40 +01:00
muxator
7e44dc569b changelog: mention the conditional user creation feature (now that it's fixed) 2019-11-02 23:37:59 +01:00
muxator
4f53b35bcb changelog: reflect the fact that next release will be 1.8-beta.1
This change should have been part of 84479851fe.
2019-11-02 23:37:01 +01:00
muxator
55fb10c685 release: prepare for 1.8.0 2019-10-19 03:42:13 +02:00
muxator
705cc6f5e4 Change everywhere the link to https://etherpad.org (it was plain http) 2019-04-16 00:54:54 +02:00
muxator
a6656102d8 CHANGELOG.md: link to https://translatewiki.net instead of plain http 2019-04-16 00:53:00 +02:00
muxator
4f0a2785da release: prepare for 1.7.5
Written the changelog and updated package.json.
2019-01-26 00:16:03 +01:00
muxator
4408a1e505 release: prepare for 1.7.0
Written the changelog and updated package.json.

From now on, releases will be cut from develop, and merged directly into master.

Each release will be a tag on the master branch (e.g. 1.7.0).
A "release/1.7.0" branch will eventually be created only if/when a hotfix will
be needed.
2018-08-17 00:18:31 +02:00
muxator
60c1036ecb
changelog: put <ol> in backticks
Github's Markdown renderer broke the layout of the readme file.
Putting `<ol>` in backticks keeps it happy.
2018-07-20 12:33:45 +02:00
muxator
bfec44e346 Release version 1.6.6 2018-05-05 00:53:59 +02:00
muxator
e13ae0aec5 changelog: better specified CVE description
Previous commit was wrong.
Fixes #3372, really.
2018-05-04 23:24:58 +02:00
muxator
10d555bc91 changelog: better specified CVE description
fixes #3372
2018-05-04 23:15:22 +02:00
muxator
3eb3e301a2 manually updated CHANGELOG.md
due to createRelease.sh not catching an error from sed and continuing:
   sed: -e expression #1, char 66: unterminated `s' command
2018-04-10 00:50:28 +02:00
John McLear
0132f4d1da Include CVE # 2018-04-07 10:13:09 +01:00
John McLear
c34350f307 Beginning to make release 2018-04-07 09:22:13 +01:00
Stefan
1e25e7fc77 Release version 1.6.3 2018-02-03 12:57:22 +01:00
Stefan (Gared)
e84c696225 Updated CHANGELOG.md 2017-11-04 17:38:59 +01:00
Jonah Duckles
fcde66050e Fix markdown H1 2017-05-30 13:34:07 +12:00
Stefan
9f51432175 Update CHANGELOG.md 2016-12-23 22:12:18 +01:00
Stefan
5ed9f2736a Add version 1.6.0 changelogs 2016-04-24 21:32:21 +02:00
Stefan
6fae670476 Release version 1.5.7 (changelog) 2015-08-05 19:25:11 +02:00
Stefan
2393ea01f0 Release version 1.5.6 2015-04-16 23:06:24 +02:00
Stefan
64d94cb346 Release version 1.5.5 2015-04-13 17:27:14 +02:00
Stefan
1b9a51c879 Release version 1.5.4 2015-04-11 10:19:02 +02:00
John McLear
fc60ddded1 changelog 2015-04-10 22:23:07 +01:00
Stefan
c0260bcc40 Add changelog for v1.5.2 2015-03-15 14:28:47 +01:00
Stefan
c80a64a379 Update CHANGELOG.md 2015-01-24 19:24:20 +01:00
John McLear
af7cd91a82 formatting 2015-01-24 15:14:19 +00:00
John McLear
e41b3ae0a3 updated CL 2015-01-24 15:13:26 +00:00
John McLear
95af55992a changelog 2015-01-01 17:13:50 +00:00
John McLear
2530bf0a86 add changelog and bump v number 2014-09-06 17:25:09 +01:00
John McLear
e23af7e439 changelog, package file and fix for redo 2014-03-26 15:44:04 +00:00
Marcel Klehr
e8c69a5474 Update changelog and bump version 2013-10-21 20:18:16 +02:00
Marcel Klehr
b9cc91e6ad Update CHANGELOG 2013-10-12 20:35:23 +02:00
Marcel Klehr
74bc2bd761 Prepare release 2013-10-12 14:16:06 +02:00
John McLear
ba1a5da76d bump and changelog 2013-06-24 13:35:17 +01:00
John McLear
4989f56673 undo avoid changeset spam as it breaks functionality 2013-04-15 14:36:25 +01:00
John McLear
2c8699506d push express back as it breaks sessions 2013-04-15 12:21:10 +01:00
John McLear
b137f301e2 MAGIQ 2013-04-11 18:34:40 +01:00
John McLear
f4123d2904 bump v and readme 2013-04-11 17:04:54 +01:00
John McLear
35d84144db changelog and package file 2013-04-04 00:59:51 +01:00
John McLear
af80e37ac7 missed this one.. 2013-03-23 15:03:56 +00:00
John McLear
ab2e805aa0 changelog 2013-03-23 14:50:00 +00:00
Marcel Klehr
54433db47f release v1.2.9 2013-03-15 21:43:29 +01:00
John McLear
0c9214bb27 bump v and changelog 2013-03-06 15:08:27 +00:00
John McLear
7f9a51e614 changelog 2013-03-05 13:33:09 +00:00
John McLear
c37875e09a update changelog 2013-02-18 19:33:31 +00:00
John McLear
fb97920163 update changelog 2013-02-18 19:32:07 +00:00
John McLear
3325aa8468 bit of info about deps 2013-02-10 21:15:00 +00:00