Commit graph

6088 commits

Author SHA1 Message Date
Stefan Mueller
91f25b51ff Merge remote-tracking branch 'origin/release/1.8.6' into develop 2020-09-20 21:23:14 +02:00
Richard Hansen
df7fa1fd41
changelog: Mention fix for authz bypass vulnerability in 1.8.6 (#4318) 2020-09-20 19:21:46 +00:00
Richard Hansen
3886e95c83 SessionManager: Fix session expiration check
This bug was introduced in 8b0baa9679.
2020-09-19 21:10:36 +01:00
Sebastian Castro
12bd617f51
css: Improve toolbar responsiveness for small screen (#4322)
Until now, the "mobile layout" (with right toolbar on bottom of the screen) was displayed only when screen was smaller than 800px. It made the toolbar break for screen about 1000px when a lot of plugins are in the toolbar.
Now instead, we detect with javascript when the toolbar icons overflow the natural space available, and we switch in "mobile layout" in such case
2020-09-19 19:09:30 +01:00
Stefan Mueller
299bd962b6 Update version to 1.8.6 and add changelog informations 2020-09-18 21:14:19 +02:00
webzwo0i
85f52a2f23
tests: Plugin backend tests in ci (#4314) 2020-09-18 16:28:42 +01:00
translatewiki.net
dfe0368910 Localisation updates from https://translatewiki.net. 2020-09-17 16:40:29 +02:00
Joas Souza
8c04fe8775
Feature: Copy Pad without history (#4295)
New feature to copy a pad without copying entire history.  This is useful to perform a low CPU intensive operation while still copying current pad state.
2020-09-16 19:24:09 +01:00
Richard Hansen
b80a37173e security: Fix authorization bypass vulnerability
Before, a malicious user could bypass authorization restrictions
imposed by the authorize hook:

 * Step 1: Fetch any resource that the malicious user is authorized to
   access (e.g., static content).
 * Step 2: Use the signed express_sid cookie generated in step 1 to
   create a socket.io connection.
 * Step 3: Perform the CLIENT_READY handshake for the desired pad.
 * Step 4: Profit!

Now the authorization decision made by the authorize hook is
propagated to SecurityManager so that it can approve or reject
socket.io messages as appropriate.

This also sets up future support for per-user read-only and
modify-only (no create) authorization levels.
2020-09-15 21:40:25 +01:00
Richard Hansen
ae1142a799 tests: Use wtfnode to determine why mocha isn't exiting
If mocha hangs after running the tests, hit Ctrl-C and wtfnode will
print open files, open sockets, running timers, and running intervals.
Adding an `after` function that closes/stops all of those things will
ensure that mocha exits when it finishes running the tests.
2020-09-15 21:22:52 +01:00
Richard Hansen
e20731cb12 webaccess: Fix syntax error (missing close curly brace)
Somehow I introduced this bug in commit
2bc26b8ef8 but never noticed.
2020-09-15 21:21:13 +01:00
Richard Hansen
d2773609d1 PadMessageHandler: Fix assignment to const variable 2020-09-15 20:04:33 +01:00
Richard Hansen
5ac5b65aff Pad: Disable toolbar and import/export when reconnecting 2020-09-15 20:04:17 +01:00
Richard Hansen
6f28e415ec PadMessageHandler: Move code out of unnecessary closure (again) 2020-09-15 20:04:01 +01:00
Richard Hansen
9e6d3f3f63 tests: Add authentication, authorization bypass tests 2020-09-15 20:03:30 +01:00
Richard Hansen
80639fdc6a webaccess: Pass settings.users to the authenticate hook
Authentication plugins almost always want to read and modify
`settings.users`. The settings can already be accessed in a few other
ways, but this is much more convenient.
2020-09-15 19:26:24 +01:00
Richard Hansen
250e932f59 webaccess: Enforce creation of req.session.user by authn plugins
The authorization logic determines whether the user has already
successfully authenticated by looking to see if `req.session.user`
exists. If an authentication plugin says that it successfully
authenticated the user but it did not create `req.session.user` then
authentication will re-run for every access, and authorization plugins
will be unable to determine whether the user has been authenticated.
Return a 500 internal server error to prevent these problems.
2020-09-15 19:26:14 +01:00
Richard Hansen
362b567276 docs: Revise documentation for handleMessage and handleMessageSecurity 2020-09-15 19:25:04 +01:00
Richard Hansen
80c0e2487d PadMessageHandler: Move code out of unnecessary closure
Also simplify the logic.
2020-09-15 19:23:48 +01:00
Richard Hansen
a261fdf430 i18n: Improve error logging when language JSON read fails
Before it only logged an error like this:

    SyntaxError: Unexpected string in JSON at position XYZ

Now it also logs the filename, making it easier to figure out where
the bad data is:

    failed to read file /path/to/etherpad-lite/src/locales/en.json: SyntaxError: Unexpected string in JSON at position XYZ
2020-09-15 15:32:43 +01:00
John McLear
38352c1f8c Merge branch 'develop' of github.com:ether/etherpad-lite into develop 2020-09-15 13:15:53 +01:00
John McLear
9f3cc7aae0 deps: update UeberDB to fix issue with Postgres which was causing 1.8.5 to fail on PG sites. 2020-09-15 13:15:28 +01:00
Richard Hansen
2bc26b8ef8 webaccess: Factor out common code 2020-09-15 10:44:23 +01:00
Richard Hansen
f9087fabd6 security: Check authentication in SecurityManager checkAccess
In addition to providing defense in depth, this change makes it easier
to implement future enhancements such as support for read-only users.
2020-09-15 10:43:23 +01:00
Richard Hansen
259b8d891d socketio: Use Error objects for socket.io connection errors
socket.io expects Error objects, otherwise it won't propagate the
message to the client.

Also do some cleanup.
2020-09-15 10:42:25 +01:00
Richard Hansen
0a836ced29 css: Line up line numbers with their rows
Tested with both `no-skin` and `colibris`.
2020-09-15 09:29:09 +01:00
webzwo0i
ec6b983917
packaging: remove pad_docbar.js (#4286)
package to reduce http requests: nice-select,
pad_automatic_reconnect, skin_variants, scroll, caretPosition

rename unorm in tar.json so it can be included
2020-09-13 19:01:28 +01:00
Richard Hansen
d0a16d23cb security: Fix authentication bypass vulnerability
Before, anyone who could create a socket.io connection to Etherpad
could read, modify, and create pads at will without authenticating
first.

The `checkAccess` middleware in `webaccess.js` normally handles
authentication and authorization, but it does not run for `/socket.io`
requests. This means that the connection handler in `socketio.js` must
handle authentication and authorization. However, before this change:
  * The handler did not require a signed `express_sid` cookie.
  * After loading the express-session state, the handler did not check
    to see if the user had authenticated.

Now the handler requires a signed `express_sid` cookie, and it ensures
that `socket.request.session.user` is non-null if authentication is
required. (`socket.request.session.user` is non-null if and only if
the user has authenticated.)
2020-09-13 18:56:31 +01:00
John McLear
4434e54368
Update responsiveness.js
Changing allowed delay from 300 to 400 because Safari OSX is consistently slow compared to every other modern browser.
2020-09-12 11:00:05 +01:00
Richard Hansen
8b0baa9679 SecurityManager: Refactor checkAccess for readability, correctness
* Move session validity check and session author ID fetch to a
    separate function. This separate function can be used by hooks,
    making it easier for them to properly determine the author ID.
  * Rewrite the remainder of checkAccess. Benefits:
      - The function is more readable and maintainable now.
      - Vulnerability fix: Before, the session IDs in sessionCookie
        were not validated when checking settings.requireSession. Now,
        sessionCookie must identify a valid session for the
        settings.requireSession test to pass.
      - Bug fix: Before, checkAccess would sometimes use the author ID
        associated with the token even if sessionCookie identified a
        valid session. Now it always uses the author ID associated
        with the session if available.
2020-09-12 09:42:47 +01:00
Richard Hansen
8756fed80d PadMessageHandler: Use await instead of p.then() 2020-09-11 22:11:03 +01:00
Richard Hansen
3262ff1cb9 PadMessageHandler: Rename createSessionInfo to createSessionInfoAuth
The function doesn't create the session info -- it creates the auth
property of existing session info.
2020-09-11 22:11:03 +01:00
Richard Hansen
de792559cb PadMessageHandler: Use === instead of == for comparison 2020-09-11 22:11:03 +01:00
Richard Hansen
7f0770d684 PadMessageHandler: Invert logic to improve readability 2020-09-11 22:11:03 +01:00
Richard Hansen
d4db091d1d PadMessageHandler: Simplify handleClientReady a bit
Before, this function referred to the same author ID in different ways
in different places. Use one spelling to make the code easier to read.
2020-09-11 22:11:03 +01:00
Richard Hansen
ed3c82e8c3 Use null, not "null", if sessionID cookie doesn't exist
`decodeURIComponent(null)` returns the string `'null'`, which we don't
want.
2020-09-11 22:10:04 +01:00
translatewiki.net
24978daeb0 Localisation updates from https://translatewiki.net. 2020-09-10 18:36:59 +02:00
webzwo0i
e2b3b009e1
tests: skip responsivness test on firefox 52.0/windows (#4275) 2020-09-09 21:40:53 +01:00
John McLear
5dfae625b9 Package Lock update 2020-09-09 18:15:47 +01:00
John McLear
c8361a211a bump ueber 2020-09-09 14:41:03 +01:00
Stefan Mueller
477f637488 Merge tag '1.8.5' into develop
Version 1.8.5
2020-09-08 22:34:35 +02:00
Stefan Mueller
f3d950c664 Merge branch 'release/1.8.5' 2020-09-08 22:34:02 +02:00
Stefan Mueller
5e03a3b0fe Set changelog informations for new version 2020-09-08 22:10:27 +02:00
Stefan Mueller
e64a269a65 Update version to 1.8.5 2020-09-08 22:09:56 +02:00
Stefan Mueller
10402c2e2d Update version to 1.8.5 2020-09-08 21:56:20 +02:00
John McLear
7258d75cc5 bumping ueber 2020-09-08 16:03:15 +01:00
John McLear
2b9915d00d commenting out responsiveness test in preperation for a release 2020-09-08 15:18:19 +01:00
Richard Hansen
6c2a361935 import: Use the correct author ID when using sessions
There are two different ways an author ID becomes associated with a
user: either bound to a token or bound to a session ID. (The token and
session ID come from the `token` and `sessionID` cookies, or, in the
case of socket.io messages, from the `token` and `sessionID` message
properties.) When `settings.requireSession` is true or the user is
accessing a group pad, the session ID should be used. Otherwise the
token should be used.

Before this change, the `/p/:pad/import` handler was always using the
token, even when `settings.requireSession` was true. This caused the
following error because a different author ID was bound to the token
versus the session ID:

> Unable to import file into ${pad}. Author ${authorID} exists but he
> never contributed to this pad

This bug was reported in issue #4006. PR #4012 worked around the
problem by binding the same author ID to the token as well as the
session ID.

This change does the following:
  * Modifies the import handler to use the session ID to obtain the
    author ID (when appropriate).
  * Expands the documentation for the SecurityManager checkAccess
    function.
  * Removes the workaround from PR #4012.
  * Cleans up the `bin/createUserSession.js` test script.
2020-09-08 15:04:17 +01:00
Richard Hansen
db0bcb524e SecurityManager: Use constants for returned rejections
This reduces the chances of a typo-induced bug.
2020-09-08 14:53:28 +01:00
Sebastian Castro
818194da90
editor/performance: Fix performance for large pads (#4267)
* Fix line numbers top padding

This old rule was conflicting with new css rules introduced in 1.8.4

* Fixes #4228 Performance degradation for long pads 

Due to layout trashing when calculating new heights
2020-09-08 14:52:26 +01:00