This is a followup on 312c72c364, which did the same on the main code base,
and is preliminary work for tidying up John's changes in the following commits.
No functional changes.
Command:
find tests/frontend -name '*.js' -type f -print0 | xargs -0 sed --in-place 's/[[:space:]]*$//'
For all the supported operating systems, the latest version of each browser is
supported, with the Exception of Win 8 / IE 10, which has an explicit version
pinned.
By specification [0], the if-modified-since HTTP header sent by browsers does
not include milliseconds.
Before this patch, let's say a file was generate at time:
t_real-file = 2020-03-22T02:15:53.548Z (note the fractional seconds)
When issuing a conditional request, the browser would truncate the fractional
part, and only request an if-modified-since with this contents:
t_if-modified-since = 2020-03-22T02:15:53.000Z
The minify() function would return HTTP/304 only if
t_if-modified-since >= t_real-file, but this would never be true unless, by
chance, a file was generated at XX.000Z.
This resulted in that file being minified/compressed again and resent to the
client for no reason. After this patch, the server correctly responds with
HTTP/304 without doing any computation, and the browser uses the cached file.
[0] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since
No variation in # of security vulnerabilities.
The output of `npm audit` goes from this:
found 7 vulnerabilities (5 low, 2 high) in 13881 scanned packages
7 vulnerabilities require manual review. See the full report for details.
To this:
found 7 vulnerabilities (5 low, 2 high) in 13795 scanned packages
7 vulnerabilities require manual review. See the full report for details.
This is a dev dependency. No impact in production.
After this upgrade the backend tests ("cd src; npm test") still pass.
This fixes 2 reported security vulnerabilities.
The output of `npm audit` goes from this:
found 9 vulnerabilities (7 low, 2 high) in 13707 scanned packages
run `npm audit fix` to fix 1 of them.
1 vulnerability requires semver-major dependency updates.
7 vulnerabilities require manual review. See the full report for details.
To this:
found 7 vulnerabilities (5 low, 2 high) in 13881 scanned packages
7 vulnerabilities require manual review. See the full report for details.
This is a dev dependency. No impact in production.
After this upgrade the backend tests ("cd src; npm test") still pass.
This fixes 1 reported security vulnerability.
The output of `npm audit` goes from this:
found 10 vulnerabilities (8 low, 2 high) in 13390 scanned packages
run `npm audit fix` to fix 2 of them.
1 vulnerability requires semver-major dependency updates.
7 vulnerabilities require manual review. See the full report for details.
To this:
found 9 vulnerabilities (7 low, 2 high) in 13707 scanned packages
run `npm audit fix` to fix 1 of them.
1 vulnerability requires semver-major dependency updates.
7 vulnerabilities require manual review. See the full report for details.
This fixes 107 reported security vulnerabilites.
The output of `npm audit` goes from this:
found 117 vulnerabilities (115 low, 2 high) in 13365 scanned packages
run `npm audit fix` to fix 6 of them.
1 vulnerability requires semver-major dependency updates.
110 vulnerabilities require manual review. See the full report for details.
To this:
found 10 vulnerabilities (8 low, 2 high) in 13390 scanned packages
run `npm audit fix` to fix 2 of them.
1 vulnerability requires semver-major dependency updates.
7 vulnerabilities require manual review. See the full report for details.
The changelog for npm can be read at https://github.com/npm/cli/releases
CleanCSS 3.4.19 had a Regex Denial of Service vulnerability and has to be
updated. The major version bump requires the following changes:
1. Disabling rebase is necessary because otherwise the URLs for the web fonts
become wrong;
EXAMPLE 1:
/static/css/src/static/font/fontawesome-etherpad.woff
instead of
/static/font/fontawesome-etherpad.woff
EXAMPLE 2 (this is more surprising):
/p/src/static/font/opendyslexic.otf
instead of
/static/font/opendyslexic.otf
2. CleanCSS.minify() can either receive a string containing the CSS, or an array
of strings. In that case each array element is interpreted as an absolute
local path from which the CSS file is read.
In version 4.x, CleanCSS API was simplified, eliminating the relativeTo
parameter, and thus we cannot use our already loaded "content" argument, but
we have to wrap the absolute path to the CSS in an array and ask the library
to read it by itself.
Fixes#3616.
The next commit will update a dependency in package.json. This commit only
refreshes package-lock.json recalculating it at the current date.
In this way we will be sure that any modifications in package-lock.json in the
next commit will be only due to the package.json change.
Should this commit introduce any regression, we would know for certain that one
of our dependencies is not correctly honoring their semver promises.
For some reason authorInfo is sometimes null, and therefore it is not possible
to get colorId from it.
This resulted in the following stack trace:
[2020-03-16 09:27:17.291] [ERROR] console - (node:1746) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'colorId' of null
at <BASEDIR>/src/node/handler/PadMessageHandler.js:1199:37
at runMicrotasks (<anonymous>)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at async Promise.all (index 0)
at async handleClientReady (<BASEDIR>/src/node/handler/PadMessageHandler.js:1171:5)
[2020-03-16 09:27:17.291] [ERROR] console - (node:1746) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 76)
[2020-03-16 09:27:19.034] [WARN] message - Dropped message, USERINFO_UPDATE Session not ready.[object Object]
Which is due to a bug in Etherpad that we are not going to solve now.
As a workaround, when this happens, let's set the username to "Anonymous" (if
it is not already set), and colorId to the fixed value "#daf0b2". Warning
messages are written in the logs to signal this condition.
This is no definitive solution, but fixes#3612 (via a workaround).
Before this patch, visiting the read-only URL for a random pad would remove
the "Save Revision" (the "star" icon) from all the other RW pads. The only way
to make it appear again was to restart the server.
This change does not fix the underlying bug: after visiting a read only link
the "star" button would still disapper, but it is explictly reinserted via an
ad-hoc condition.
Fixes#3702
That commit (merged recently with PR #3622) was part of an effort to fix#3620,
but introduced a very bad bug that broke the cursor behaviour when pressing
space, making the program unusable.
This commit completes the revert of PR #3622 and fixes#3728.
--HG--
branch : revert-3622
This was a preparatory commit for 3292429ab3 (which introduced a bug, see
issue #3728) and modified the tests for issue #3620.
Commit 155a895604 per se did not introduce any bugs, but was difficult to
inspect because of its size. For this, the corresponding PR (#3622) should not
have been accepted.
--HG--
branch : revert-3622
By specification, when settings.allowUnknownFileEnds is true and the user tries
to import a file with an unknown extension (this includes no extension),
Etherpad tries to import it as txt.
This broke in Etherpad 1.8.0, that abruptly terminates the processing with an
UnhandledPromiseRejectionWarning.
This patch restores the intended behaviour, and allows to import as text a file
with an unknown extension (on no extension).
In order to catch the UnhandledPromiseRejectionWarning we had to use
fsp_rename(), which is declared earlier in the code and is promised based
instead of fs.rename(), which is callback based.
Fixes#3710.
Before this change, invoking a non existing API method would return an HTTP/200
response with a JSON payload {"code":3,"message":"no such function"}.
This commit changes the HTTP status code to 404, leaving the payload as-is.
Before:
curl --verbose "http://localhost:9001/api/1/notExisting?apikey=ABCDEF"
< HTTP/1.1 200 OK
< X-Powered-By: Express
[...]
{"code":3,"message":"no such function","data":null}
After:
curl --verbose "http://localhost:9001/api/1/notExisting?apikey=ABCDEF"
< HTTP/1.1 404 OK
< X-Powered-By: Express
[...]
{"code":3,"message":"no such function","data":null}
Fixes#3546.
Before this change there was always a single toolbar on the top, with both
Colibris and the legacy skin. When the screen size was reduced:
- the legacy skin would compact the icons in the toolbar (this was fine,
indeed);
- Colibris would hide some formatting icons. This would hamper the functionality
for mobile users.
After this change both the skins work in the same way, which is the following:
- when the screen gets smaller the right toolbar (the one with "export",
"timeslider", and other buttons) goes to the bottom of the screen;
- when there are many icons, the toolbar keeps all of them, and to see them the
user must drag the toolbar.
This behaviour will probably be changed before release, opting instead to show
a "+" button when there is an overflow, since this appears to be more
discoverable (see the discusison in #3697).
Do not tested with custom toolbar elements (toolbar.left and toolbar.right
configuration items in settings.json).
Fixes#3697.
Steps to reproduce (via HTTP API):
1. create a group via createGroup()
2. create a group pad inside that group via createGroupPad()
3. make that pad public calling setPublicStatus(true)
4. access the pad via a clean web browser (with no sessions)
5. UnhandledPromiseRejectionWarning: apierror: sessionID does not exist
This was due to an overlook in 769933786c: "apierror: sessionID does not
exist" may be a legal condition if we are also visiting a public pad. The
function that could throw that error was sessionManager.getSessionInfo(), and
thus it needed to be inside the try...catch block.
Please note that calling getText() on the pad always return the pad contents,
*even for non-public pads*, because the API bypasses the security checks and
directly talks to the DB layer.
Fixes#3600.
Note by muxator:
This commit introduced a copied & modified version of the testing files
loadSettings.js and pad.js.
It's Christmas night, and we want to shipt this feature, so I merged it anyway,
adding a note in both the original and copied files so that hopefully someone
in the distant future is going to merge them back again.