Commit graph

5300 commits

Author SHA1 Message Date
muxator
e34c74b24d skins: the settings class understands skinName. Send skinName value to the client
skinName must be a single string (no directory separators in it) pointing to an
existing directory under /src/static/skins.
In case these conditions are not met, its value is rewritten to "no-skin".

Also, the value of skinName if sent to the client via clientVars for allowing
its use it in the browser.
2018-08-26 21:17:04 +02:00
muxator
7edc0fea16 skins: added new parameter "skinName" in setting.json.template
"colibris" does not exist yet, but let's mention it anyway.
2018-08-26 21:17:04 +02:00
muxator
aba1c6f8bd skins: moved "static/custom" -> "static/skins/no-skin"
The old empty skin created by the startup scripts becomes the default: no-skin.
2018-08-26 21:17:04 +02:00
muxator
0c518cadf5 skins: replace {js,css}.template with actual files. Simplify startup scripts.
Currently, an Etherpad skin requires the existence of 6 files:
- index.{css,js}
- pad.{css,js}
- timeslider.{css,js}

In the default empty skin (in static/custom), there were 2 small placeholders
({js,css}.template) to be copied in place by the startup script in case no skin
was in use.

Now that we are moving to multiple directories (see #3471) we can simply commit
the example files and remove the copying code from the startup script.
2018-08-26 21:17:04 +02:00
muxator
6c56e7ca7a ace.js: use URL encoding when building an URL via string concatenation
Not performing encoding/decoding when traversing logical domains is a security
risk.
String concatenation is not great, too, but this change is just focused on
allowing the implementation of skin support.
2018-08-26 02:40:36 +02:00
Luc Didry
2cc32d7fe9 Add --writer option to soffice convert command
If you edit `src/templates/export_html.html` to remove the
`<meta name="changedby" content="Etherpad">` tag[1], PDF export with
soffice has a bug: the first word of the pad is deleted and a blank page
is inserted as first page (the pad's text begins on the second page).
The `--writer` soffice option avoids that bug.

[1] you may want to delete that tag since it is inserted as a comment in
.doc or .odt soffice export.
2018-08-24 18:26:51 +02:00
muxator
06476f7ad2 settings.json.template: reorganized dbSetting section to be more comment-friendly
It is better to keep the dirtyDB settings together, so they can be commented out
via a /* ... */.
Nested comments blocks would crash the application on start, because they are
syntactically incorrect.

Let's reduce this possibility, promoting an easier standard.
2018-08-24 01:26:05 +02:00
muxator
d1481041c2 specialpages: replace relative paths for sendfile() with absolute ones
This file uses it for robots.txt and favicon.ico.

This makes use of the new stable settings.root introduced with #3466, and will
be modified when introducing support for custom skins.
2018-08-23 23:39:38 +02:00
muxator
9db5fd7884 AbsolutePaths: introduced isSubdir()
It can be used to check whether a user input or a configuration settings tries
to traverse the directory hierarchy, going out of its allowed bounds.

source: https://stackoverflow.com/questions/37521893/determine-if-a-path-is-subdirectory-of-another-in-node-js#45242825
2018-08-23 07:20:17 +02:00
translatewiki.net
0728e66723 Localisation updates from https://translatewiki.net. 2018-08-23 08:15:56 +02:00
muxator
ce14a99606 settings, APIHandler: use makeAbsolute() for locating APIKEY and SESSIONKEY 2018-08-23 07:02:45 +02:00
muxator
8247d5eef3 settings: use makeAbsolute() for locating settings.json and credentials.json
This should look to consistent locations when looking for relative paths,
without depending on current working directory.
For absolute paths, nothing changes.
2018-08-23 07:02:45 +02:00
muxator
435b2a4edf settings: the dirtyDb file path is interpreted using makeAbsolute()
Otherwise its position depended on process.cwd
2018-08-23 07:02:45 +02:00
muxator
5406472d65 AbsolutePaths: makeAbsolute() computes an absolute path from a relative one
The base is assumed to be exports.findEtherpadRoot(), without depending on
process.cwd.
2018-08-23 07:02:45 +02:00
muxator
1b938a7a40 settings: compute exports.root via AbsolutePaths.findEtherpadRoot()
First steps for fixing #3466.
2018-08-23 07:02:45 +02:00
muxator
b1a0e14ee2 AbsolutePaths: written findEtherpadRoot()
This is just a function (with an ugly side effect for caching purposes) that
heuristically tries to compute the Etherpad installation path when running under
Unix and win32 (they have different file system layouts).

This path can be used by Etherpad as a base for all the relative paths, in order
to be deterministic and not depending on cwd.
2018-08-23 07:02:45 +02:00
muxator
cbce3c1b08 AbsolutePaths: written utility function popIfEndsWith()
It will be necessary in the next commit to evaluate the Etherpad base
install path.
2018-08-23 07:02:45 +02:00
muxator
dbf7eff1fc AbsolutePaths: module for deterministically computing relative Etherpad paths
Empty for now.
2018-08-23 07:02:45 +02:00
muxator
ec5573f88c settings, APIHandler: generate more informative logs 2018-08-21 00:05:15 +02:00
muxator
b635371d52 settings: the default dirty.db location should be var/dirty.db
This is the location that is choosen by default when Etherpad starts with no
settings.json file.
It was different than the one contained into setting.json.template.
2018-08-21 21:57:13 +02:00
muxator
cb07805022 NodeVersion: take responsibility for ugly code 2018-08-22 00:12:53 +02:00
muxator
93641a165d dependencies: update socket.io 1.7.3 -> 2.1.1
Version 2.x is not backwards compatible with 1.x.
However, according to [0], [1] and [2], it seems that the biggest concern is
when mixing different server and client versions, and this is not Etherpad's
case.

Smoke tested (successfully) on Firefox 61, Chromium 68.

npm audit before this change:
  found 12 vulnerabilities (9 low, 3 high) in 8205 scanned packages
    11 vulnerabilities require semver-major dependency updates.
    1 vulnerability requires manual review. See the full report for details.

npm audit after this change:
  found 1 low severity vulnerability in 8196 scanned packages
    1 vulnerability requires manual review. See the full report for details.

Fixes #3462

[0] https://socket.io/blog/socket-io-2-0-0/
[1] https://github.com/socketio/socket.io/issues/3007#issuecomment-336791836
[2] a0d7a794de
2018-08-18 19:42:42 +02:00
muxator
5f9de6948c cleanRun.sh: get rid of "Bad substitution" error
It was introduced in 4a18f0d97d (#3356).
2018-08-17 22:22:14 +02:00
muxator
4408a1e505 release: prepare for 1.7.0
Written the changelog and updated package.json.

From now on, releases will be cut from develop, and merged directly into master.

Each release will be a tag on the master branch (e.g. 1.7.0).
A "release/1.7.0" branch will eventually be created only if/when a hotfix will
be needed.
2018-08-17 00:18:31 +02:00
muxator
d7696413da createRelease.sh: deprecate the script. It will be removed or modified.
Starting with Etherpad 1.7.0, the branching strategies for releases will be
simplified.
Leaving this script here, as it's useful for documenting other release-related
activities.
2018-08-17 00:09:25 +02:00
muxator
36b629346d dependencies: updated npm to 6.4.0 2018-08-16 22:04:40 +02:00
muxator
10eadba0d6
docs: mention that nodejs >= 8.9 is preferred 2018-08-15 23:43:11 +02:00
muxator
fc14f60a4b runtime: polyfill Object.values()
Minimum supported Node version is 6.9.0, but Object.values() was introduced in
Node < 7. Let's use a polyfill if needed.

This will be removed when minimum supported Node version is raised to 8.9.0.

Fixes #3459
2018-08-15 22:34:05 +02:00
muxator
7a6d969537 docs: started writing down the requirements for pull requests
No more merge commits in the PR: we want to be able to bisect easily.
Probably the whole doc needs to be updated. Also, we need to have templates for
PRs and Bug Reports, and they have to be described in the document.

Fixes #3454
2018-08-15 02:19:05 +02:00
muxator
9d815c58b8 deprecations: get rid of DEP0005 about Buffer()
Similar code still lives in some dependent libraries.
It will be updated when upgrading the dependencies.

Fixes #3446
2018-08-14 19:45:03 +02:00
muxator
6d5a6cf795 caching_middleware: removed unnecessary escape in regex
Found by eslint with "no-useless-escape"
2018-08-14 19:33:10 +02:00
"muxator ext:(%22)
d499e1b046 docs: direct link to measured.Collection from stats.md 2018-08-14 13:27:31 +02:00
"muxator ext:(%22)
42a0772955 dependencies: updated measured 1.1.0 -> measured-core 1.11.2
When installing dependencies, npm informed us that measured had been deprecated,
and renamed to measured-core. Let's follow the advice, and get rid of the
warning.

  npm WARN deprecated measured@1.1.0: This package has been renamed to
  measured-core, all versions of measured have been re-released under
  measured-core, please update your package and consider updating to the newest
  version. See https://github.com/yaorg/node-measured for latest updates.

This package is used to expose a single endpoint ("/stats"), whose output does
not change after this commit.

Fixes #3458
2018-08-14 13:22:41 +02:00
muxator
d38f53181f settings.json: in the mysql example, mention the existence of port parameter
The port parameter is supported by the mysql driver, but to know this one has to
read through ueberDB's code.

At least for this simple case, it may make sense to be explicit.

Fixes #3453
2018-08-11 16:44:37 +02:00
Masaru Nagaku
392f39b623 fix bug for getPadPlainText 2018-08-11 11:02:20 -03:00
muxator
e9fb63f426 docs: "``js" -> "``json" in Markdown of some json blocks 2018-08-09 22:27:56 +02:00
Muh Muhten
3cedf474e5 Fix misparse of port when binding Unix socket
The hostname:port of URIs used in Minify are currently bogus and refer
to localhost only for historical reasons; there's no reason to retain
them and omitting them avoids generating an invalid URI when "port" is
not an integer.

Context: settings.port is passed to express's listen; if not numeric, it
is used a filename for a Unix domain socket.
This allows e.g. starting a server to be reverse-proxied on a multi-user
system, using the filesystem to handle access control and avoiding need
to allocate port numbers.

Before this change, etherpad-lite starts without error when configured
to listen on a Unix domain socket in this manner. However, `pad.js` and
`ace2_common.js` are generated incorrecting, causing an error
"Uncaught Error: The module at "ep_etherpad-lite/static/js/rjquery" does not exist."
when loading the editor:

When settings.port is a non-numeric string, e.g. `etherpad.sock`, a URI
of the form `http://localhost:etherpad.sock/static/js/rjquery.js` is
generated and parsed to find the file needed. In this case, the file
searched for is `:etherpad.sock/static/js/rjquery.js`, rather than the
expected `static/js/rjquery.js`. No such file exists, and the required
code is silently omitted from the bundle.

As a workaround, hard-code a (meaningless) hostname which can be parsed
correctly, since the current code makes no use of it anyway.
2018-08-10 01:57:30 +02:00
muxator
6c6ac40f7b doc: review "Tweak the settings" 2018-08-09 19:42:14 +02:00
Michael Braun
980a5951ea hint to --sessionkey, --apikey and --credentials in README.md 2018-08-09 19:42:14 +02:00
Michael Braun
971853ca58 remove -k argument as it is currently for both sessionkey and apikey 2018-08-09 19:42:14 +02:00
muxator
b466acd881 Merge test fixes for import/export. Fixes #3425.
Now we have a working test for #3268 (fe08d2a1db).
2018-08-09 18:54:55 +02:00
muxator
10f0cb3253 security: suggest installing ep_hash_auth to get rid of plain text passwords
In its current form, Etherpad stores passwords for users in plain text in
settings.json. We should at least mention the opportunity of installing
ep_hash_auth to start tackling this problem.

The advice was added in README.md and in settings.json.template

Fixes #3444
2018-08-09 00:17:15 +02:00
muxator
044f761b99 settings.json: reformat comments, no functional changes. 2018-08-08 23:49:32 +02:00
ilmar
718b175524 tests: show that Etherpad is not able to import & export back a mixed lists
This commit replaces an old test with a new, different one.
Reasons for removing the old test:

- the old list test was introduced in cadb83a with an explicit attempt to import
  an invalid HTML and see if it could recover from it
- in 5967e08 the code base finally managed to export a meaningful HTML (but we
  do not know if other bugs were introduced in pursuing this)
- the old test seemed to aim at attaining resiliency, but correctness should be
  addressed before that

Modified by muxator. See discussion in:
https://github.com/ether/etherpad-lite/pull/3268#issuecomment-411185713
2018-08-06 23:15:48 +03:00
"muxator ext:(%22)
d23cf924c9 installDeps: replace GNU specific long options whith short ones
Long options are only present in GNU cut, and we aim to also support other
platforms.
2018-07-31 12:44:17 +02:00
muxator
65b9626669 dependencies: updated express & express-session
express: 4.13.4 -> 4.16.3
express-session: 1.13.0 -> 1.15.6

This, along with the previous commit, partially implements #3429.
2018-07-29 01:44:49 +02:00
muxator
1101c0279f dependencies: wd, 1.6.1 -> 1.10.3
It's a dev dependency, no breakages in backend and frontend tests.
2018-07-29 01:41:15 +02:00
muxator
a0d5eb18a0 tests: introduce istanbul.js to check code coverage
see: https://istanbul.js.org
2018-07-28 23:54:51 +02:00
muxator
f7000c786d tests: update mocha 5.0.5 -> 5.2.0
This does not break any backend tests
2018-07-28 23:54:51 +02:00
muxator
4e10f4d52a tests: sent Nyan Cat into eternal oblivion
Alive and kicking since 2014 (3ac833d455), but it is now time to go on
2018-07-28 23:54:51 +02:00