Commit graph

5481 commits

Author SHA1 Message Date
muxator
ca35488273 minify: upgrade clean-css 3.4.19 -> 4.2.3. Adapt to the semver major change
CleanCSS 3.4.19 had a Regex Denial of Service vulnerability and has to be
updated. The major version bump requires the following changes:

1. Disabling rebase is necessary because otherwise the URLs for the web fonts
   become wrong;

   EXAMPLE 1:
       /static/css/src/static/font/fontawesome-etherpad.woff
     instead of
       /static/font/fontawesome-etherpad.woff

   EXAMPLE 2 (this is more surprising):
       /p/src/static/font/opendyslexic.otf
     instead of
       /static/font/opendyslexic.otf

2. CleanCSS.minify() can either receive a string containing the CSS, or an array
   of strings. In that case each array element is interpreted as an absolute
   local path from which the CSS file is read.

   In version 4.x, CleanCSS API was simplified, eliminating the relativeTo
   parameter, and thus we cannot use our already loaded "content" argument, but
   we have to wrap the absolute path to the CSS in an array and ask the library
   to read it by itself.

Fixes #3616.
2020-03-22 00:33:22 +01:00
muxator
2c44a0f71e package-lock: preliminary recomputation before updating a dependency
The next commit will update a dependency in package.json. This commit only
refreshes package-lock.json recalculating it at the current date.
In this way we will be sure that any modifications in package-lock.json in the
next commit will be only due to the package.json change.

Should this commit introduce any regression, we would know for certain that one
of our dependencies is not correctly honoring their semver promises.
2020-03-22 00:00:45 +01:00
muxator
a1978d2245 Minify: on errors, generate logs instead of simply silencing them
This will help when we'll have to update clean-css.
2020-03-20 22:46:39 +01:00
John McLear
c316402d86 PadMessageHandler: use a predefined color when authorInfo.colorId is not defined
For some reason authorInfo is sometimes null, and therefore it is not possible
to get colorId from it.

This resulted in the following stack trace:
    [2020-03-16 09:27:17.291] [ERROR] console - (node:1746) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'colorId' of null
    at <BASEDIR>/src/node/handler/PadMessageHandler.js:1199:37
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async Promise.all (index 0)
    at async handleClientReady (<BASEDIR>/src/node/handler/PadMessageHandler.js:1171:5)
    [2020-03-16 09:27:17.291] [ERROR] console - (node:1746) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 76)
    [2020-03-16 09:27:19.034] [WARN] message - Dropped message, USERINFO_UPDATE Session not ready.[object Object]

Which is due to a bug in Etherpad that we are not going to solve now.

As a workaround, when this happens, let's set the username to "Anonymous" (if
it is not already set), and colorId to the fixed value "#daf0b2". Warning
messages are written in the logs to signal this condition.

This is no definitive solution, but fixes #3612 (via a workaround).
2020-03-20 22:32:06 +01:00
John McLear
b480416375 toolbar: the "star" button no longer disappears when visiting a read-only pad
Before this patch, visiting the read-only URL for a random pad would remove
the "Save Revision" (the "star" icon) from all the other RW pads. The only way
to make it appear again was to restart the server.

This change does not fix the underlying bug: after visiting a read only link
the "star" button would still disapper, but it is explictly reinserted via an
ad-hoc condition.

Fixes #3702
2020-03-19 22:42:22 +01:00
muxator
840b4a0988 contentcollector: backed out changeset 3292429ab3
That commit (merged recently with PR #3622) was part of an effort to fix #3620,
but introduced a very bad bug that broke the cursor behaviour when pressing
space, making the program unusable.

This commit completes the revert of PR #3622 and fixes #3728.

--HG--
branch : revert-3622
2020-03-19 02:53:41 +01:00
muxator
c382ba35c9 tests: backed out changeset 155a895604
This was a preparatory commit for 3292429ab3 (which introduced a bug, see
issue #3728) and modified the tests for issue #3620.

Commit 155a895604 per se did not introduce any bugs, but was difficult to
inspect because of its size. For this, the corresponding PR (#3622) should not
have been accepted.

--HG--
branch : revert-3622
2020-03-19 02:53:41 +01:00
John McLear
8261229323 pass file ending 2020-03-17 13:08:46 +00:00
Tudor Constantin
28102d8e1f ImportHandler: importing files with unknown extension work again when allowUnknownFileEnds is true
By specification, when settings.allowUnknownFileEnds is true and the user tries
to import a file with an unknown extension (this includes no extension),
Etherpad tries to import it as txt.

This broke in Etherpad 1.8.0, that abruptly terminates the processing with an
UnhandledPromiseRejectionWarning.

This patch restores the intended behaviour, and allows to import as text a file
with an unknown extension (on no extension).

In order to catch the UnhandledPromiseRejectionWarning we had to use
fsp_rename(), which is declared earlier in the code and is promised based
instead of fs.rename(), which is callback based.

Fixes #3710.
2020-03-17 12:41:18 +01:00
John McLear
a0579c90db APIHandler: return HTTP/404 when non existing API methods are invoked
Before this change, invoking a non existing API method would return an HTTP/200
response with a JSON payload {"code":3,"message":"no such function"}.

This commit changes the HTTP status code to 404, leaving the payload as-is.

Before:
   curl --verbose "http://localhost:9001/api/1/notExisting?apikey=ABCDEF"
  < HTTP/1.1 200 OK
  < X-Powered-By: Express
  [...]
  {"code":3,"message":"no such function","data":null}

After:
   curl --verbose "http://localhost:9001/api/1/notExisting?apikey=ABCDEF"

   < HTTP/1.1 404 OK
   < X-Powered-By: Express
   [...]
   {"code":3,"message":"no such function","data":null}

Fixes #3546.
2020-03-15 09:26:44 +00:00
Sebastian Castro
0d61d6bb13 ui: on mobile, move the right toolbar to the bottom and make the top toolbar scrollable
Before this change there was always a single toolbar on the top, with both
Colibris and the legacy skin. When the screen size was reduced:

- the legacy skin would compact the icons in the toolbar (this was fine,
  indeed);
- Colibris would hide some formatting icons. This would hamper the functionality
  for mobile users.

After this change both the skins work in the same way, which is the following:
- when the screen gets smaller the right toolbar (the one with "export",
  "timeslider", and other buttons) goes to the bottom of the screen;
- when there are many icons, the toolbar keeps all of them, and to see them the
  user must drag the toolbar.

This behaviour will probably be changed before release, opting instead to show
a "+" button when there is an overflow, since this appears to be more
discoverable (see the discusison in #3697).

Do not tested with custom toolbar elements (toolbar.left and toolbar.right
configuration items in settings.json).

Fixes #3697.
2020-03-12 18:47:12 +01:00
translatewiki.net
6323f59c3a Localisation updates from https://translatewiki.net. 2020-03-16 15:41:54 +01:00
Tom Briles
3292429ab3 trim text entries upon import. Fixes: #3620 2020-03-15 11:35:08 +00:00
Tom Briles
155a895604 Test for Issue-3620: space in the HTML for an unordered list creates an extra list item 2020-03-15 11:35:08 +00:00
John McLear
467fc11b72 fix 2020-03-14 21:58:26 +01:00
translatewiki.net
bb868beb9c Localisation updates from https://translatewiki.net. 2020-02-24 15:39:25 +01:00
translatewiki.net
5773e6cea0 Localisation updates from https://translatewiki.net. 2020-02-20 15:58:56 +01:00
John McLear
74fa47e295
Pretty sure you need elevated command prompt in windows..
To do anything nowadays.
2020-02-14 23:36:13 +00:00
translatewiki.net
7950d336eb Localisation updates from https://translatewiki.net. 2020-02-10 14:50:52 +01:00
translatewiki.net
ffcf22e4ac Localisation updates from https://translatewiki.net. 2020-01-30 15:49:13 +01:00
translatewiki.net
de3a677df5 Localisation updates from https://translatewiki.net. 2020-01-20 11:32:11 +01:00
translatewiki.net
bac58a7391 Localisation updates from https://translatewiki.net. 2020-01-13 16:08:24 +01:00
Sebastian Castro
6d4ea36646 skin colibris: Fix table of content with ep_resizable_bar 2020-01-03 15:35:12 -03:00
muxator
3b24c97d1e db/SecurityManager.js: accessing without session a public group pad no longer causes a crash
Steps to reproduce (via HTTP API):
1. create a group via createGroup()
2. create a group pad inside that group via createGroupPad()
3. make that pad public calling setPublicStatus(true)
4. access the pad via a clean web browser (with no sessions)
5. UnhandledPromiseRejectionWarning: apierror: sessionID does not exist

This was due to an overlook in 769933786c: "apierror: sessionID does not
exist" may be a legal condition if we are also visiting a public pad. The
function that could throw that error was sessionManager.getSessionInfo(), and
thus it needed to be inside the try...catch block.

Please note that calling getText() on the pad always return the pad contents,
*even for non-public pads*, because the API bypasses the security checks and
directly talks to the DB layer.

Fixes #3600.
2019-12-26 00:30:43 +01:00
Pierre Prinetti
0b3cf7cc96 docker: Add Run with volume example
Supersedes https://github.com/ether/etherpad-lite/pull/3631

Co-authored-by: RaymondCavallaro <RaymondCavallaro@users.noreply.github.com>
2019-12-25 00:48:30 +01:00
Pierre Prinetti
92f07a544b ci: test basic application response of the docker build
Note by muxator:
This commit introduced a copied & modified version of the testing files
loadSettings.js and pad.js.

It's Christmas night, and we want to shipt this feature, so I merged it anyway,
adding a note in both the original and copied files so that hopefully someone
in the distant future is going to merge them back again.
2019-12-25 00:28:38 +01:00
Pierre Prinetti
69fd393708 ci: test the Dockerfile
Add a `Test Dockerfile` job to Travis that checks the `docker build` exit
code.
More useful tests can be added later.
2019-12-25 00:28:38 +01:00
muxator
5b4bca2c6e ci: move the existing test under a jobs section, so we can add others later
In the next commit Pierre will start adding tests for the docker build, and this
lays out the structure for doing that.
No functional changes.

The relevant TravisCI docs that motivates moving under a jobs section is
https://docs.travis-ci.com/user/build-matrix/

> There are two ways to specify multiple parallel jobs (what we call the build
> matrix) with a single .travis.yml configuration file:
>
> * combine a language-and-environment dependent set of configuration options to
>   automatically create a matrix of all possible combinations. This is called
>   matrix expansion. For example, the following configuration produces a build
>   matrix that expands to 8 individual (2 * 2 * 2) jobs
>   [...]
>
> * specify the exact combination of configurations you want in jobs.include.
>   For example, if not all of those combinations are interesting, you can
>   specify just the combinations you want
2019-12-25 00:28:38 +01:00
muxator
bf0bb58c70 ci: no need to include java
The dependency on java was introduced in 2012 (c021cf52d8) to start
Sauce-Connect from sauce labs.

Probably at the time it was a runtime dependency, but it is no longer the case
today. It is possible that java was already not needed when db003a1460 changed
from downloading Sauce-Connect-latest.zip to sc-latest-linux.tar.gz.

Moreover, I am quite sure tests/frontend/travis/sauce_tunnel.sh no longer works
today, because tests/frontend/travis/sauce_tunnel.sh downloads from an url that
gives HTTP/404 now: sc-latest-linux.tar.gz if no longer a valid file name, we
would need to explicitly download a specific version.
2019-12-25 00:28:38 +01:00
muxator
cffa3e0a5d ci: trivial reformatting in preparation for next commits.
This is just needed to slim up the diffs for the next commits.
Non functional changes.
2019-12-25 00:28:38 +01:00
muxator
fe0cf4bdb0 tests: reorganize some files, because we are going to copy & paste them.
In the following commits Pierre is going to copy & modify some files.
This commit prepares the source files in order to minimize those differences,
so we can re-unify them as soon as possible.

No functional changes.
2019-12-25 00:28:38 +01:00
muxator
5bcc5a3be0 windows: bump the node version included in the prebuilt package: 10.16.3 -> 10.18.0
This is the latest version as of today.
2019-12-18 02:00:08 +01:00
muxator
140d5c4b41 dependencies: upgrade npm 6.13.1 -> 6.13.4
This fixes some security vulnerabilites, among them an arbitrary file overwrite.


The output of `npm audit` goes from this:
  found 17 vulnerabilities (15 low, 2 high) in 13344 scanned packages
    run `npm audit fix` to fix 6 of them.
    1 vulnerability requires semver-major dependency updates.
    10 vulnerabilities require manual review. See the full report for details.

To this:
  found 5 vulnerabilities (3 low, 2 high) in 13370 scanned packages
    1 vulnerability requires semver-major dependency updates.
    4 vulnerabilities require manual review. See the full report for details.


Changelog:
- https://github.com/npm/cli/releases


6.13.4 (2019-12-11)
    BUGFIXES
    320ac9aee npm/bin-links#12 npm/gentle-fs#7 Do not remove global bin/man links inappropriately (@isaacs)

    DEPENDENCIES
    52fd21061 gentle-fs@2.3.0 (@isaacs)
    d06f5c0b0 bin-links@1.1.6 (@isaacs)

6.13.3 (2019-12-09)
    DEPENDENCIES
    19ce061a2 bin-links@1.1.5 Properly normalize, sanitize, and verify bin entries in package.json.
    59c836aae npm-packlist@1.4.7
    fb4ecd7d2 pacote@9.5.11
        5f33040 #476 npm/pacote#22 npm/pacote#14 fix: Do not drop perms in git when not root (isaacs, @darcyclarke)
        6f229f7 sanitize and normalize package bin field (isaacs)
    1743cb339 read-package-json@2.1.1

6.13.2 (2019-12-03)
    BUG FIXES
    4429645b3 #546 fix docs target typo (@richardlau)
    867642942 #142 fix(packageRelativePath): fix 'where' for file deps (@larsgw)
    d480f2c17 #527 Revert "windows: Add preliminary WSL support for npm and npx" (@craigloewen-msft)
    e4b97962e #504 remove unnecessary package.json read when reading shrinkwrap (@Lighting-Jack)
    1c65d26ac #501 fix(fund): open url for string shorthand (@ruyadorno)
    ae7afe565 #263 Don't log error message if git tagging is disabled (@woppa684)
    4c1b16f6a #182 Warn the user that it is uninstalling npm-install (@Hoidberg)
2019-12-18 01:17:35 +01:00
translatewiki.net
b6105d8c75 Localisation updates from https://translatewiki.net. 2019-12-16 15:54:40 +01:00
muxator
70bc71c0c3 skins: make "colibris" the default skin for new installations
Colibris skin was first introduced in 1.7.5 and received some bugfixes in 1.8.0.
It is now time to make it the default for new installs.
2019-12-08 00:32:03 +01:00
muxator
1dfd52bcce release: prepare for 1.8.0 2019-12-07 18:55:07 +01:00
muxator
a817acbbcc security: when served over https, set the "secure" flag for "express_sid" and "language" cookie
The mechanism used for determining if the application is being served over SSL
is wrapped by the "express-session" library for "express_sid", and manual for
the "language" cookie, but it's very similar in both cases.

The "secure" flag is set if one of these is true:

1. we are directly serving Etherpad over SSL using the native nodejs
   functionality, via the "ssl" options in settings.json

2. Etherpad is being served in plaintext by nodejs, but we are using a reverse
   proxy for terminating the SSL for us;
   In this case, the user has to be instructed to properly set trustProxy: true
   in settings.json, and the information wheter the application is over SSL or
   not will be extracted from the X-Forwarded-Proto HTTP header.

Please note that this will not be compatible with applications being served over
http and https at the same time.

The change on webaccess.js amends 009b61b338, which did not work when the SSL
termination was performed by a reverse proxy.

Reference for automatic "express_sid" configuration:
https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure

Closes #3561.
2019-12-07 04:36:01 +01:00
muxator
b82816c774 express: reformat session configuration in preparation for the next commit
No functional changes.
2019-12-07 04:22:54 +01:00
muxator
a51684b022 security: stop setting the "io" cookie
The "io" cookie is created by socket.io, and its purpose is to offer an handle
to perform load balancing with session stickiness when the library falls back to
long polling or below.

In Etherpad's case, if an operator needs to load balance, he can use the
"express_sid" cookie, and thus "io" is of no use.

Moreover, socket.io API does not offer a way of setting the "secure" flag on it,
and thus is a liability.

Let's simply nuke it.

References:
  https://socket.io/docs/using-multiple-nodes/#Sticky-load-balancing
  https://github.com/socketio/socket.io/issues/2276#issuecomment-147184662 (not totally true, actually, see above)
2019-12-07 04:20:12 +01:00
IRobL
5e44a94d2a Adds a badge/ link to the dockerhub path where this image is published 2019-12-05 21:09:37 +01:00
Pierre Prinetti
50142f6580 docker: Set the home directory for the user
Before this change, the docker user had home in a directory it had no
permissions on. The inability of creating a cache directory in `$HOME`
prevented npm to work properly.

Additionally, the `node_modules` in the base working directory had its
owner set to root, preventing further changes.

With this change, the `etherpad` user has a home directory.
Additionally, `npm i` is now run by `etherpad` rather than the root
user; this way, it is possible to dynamically change the `node_modules`
content in day 2 operations.

Note that while switching to the `useradd` builtin, a conflict was
discovered with the GID 65534 that was previously used. This change is
changing the `etherpad` user's UID to 5001 to avoid said conflict. As a
consequence, a `chmod -R 5001:5001` must be run prior to attaching
volumes created from previous Etherpad versions.
2019-12-02 22:14:11 +01:00
muxator
0a86024797 startup scripts: get rid of $* and replace it with properly quoted "$@"
In shell scripts an unquoted $* is rarely useful, for example because it breaks
in presence of file names with spaces.

References:
- https://google.github.io/styleguide/shell.xml
  Use "$@" unless you have a specific reason to use $*.

- https://unix.stackexchange.com/questions/41571/what-is-the-difference-between-and#94200
  Short answer: use "$@" (note the double quotes). The other forms are very
  rarely useful.
2019-12-01 01:52:32 +01:00
muxator
695c2d2e84 pad.html: fix regression introduced with 5879037ddc.
Revision 5879037ddc fixed a security bug, but introduced a regression, where
on page load the js console showed:

   ReferenceError: require is not defined

The reason was that the fix called require('../static/js/pad_utils') to load a
module at a time when require() was still not defined.
This change anticipates the loading of require-kernel, and manually loads
pad_utils.

The fix proposed in #3670 by aaron-costello, which seemed to do the right
thing, anticipating the configuration phase of require-kernel, did not work.
It had to be declined and replaced by this (less elegant) change.
2019-11-30 20:32:39 +01:00
muxator
ba38ed3bba dependencies: upgrade npm 6.12.1 -> 6.13.1
This upgrade solves the high-severity vulnerabilities regarding
https-proxy-agent that were still present in 8e6bca456f.

The output of `npm audit` goes from this:
  found 29 vulnerabilities (3 low, 26 high) in 13338 scanned packages
    run `npm audit fix` to fix 4 of them.
    1 vulnerability requires semver-major dependency updates.
    24 vulnerabilities require manual review. See the full report for details.

To this:
found 5 vulnerabilities (3 low, 2 high) in 13338 scanned packages
  1 vulnerability requires semver-major dependency updates.
  4 vulnerabilities require manual review. See the full report for details.


Changelog:
- https://github.com/npm/cli/releases

6.13.1 (2019-11-18)
    BUG FIXES
    938d6124d #472 fix(fund): support funding string shorthand (@ruyadorno)
    b49c5535b #471 should not publish tap-snapshot folder (@ruyadorno)
    3471d5200 #253 Add preliminary WSL support for npm and npx (@infinnie)
    3ef295f23 #486 print quick audit report for human output (@isaacs)

    TESTING
    dbbf977ac #278 added workflow to trigger and run benchmarks (@mikemimik)
    b4f5e3825 #457 feat(docs): adding tests and updating docs to reflect changes in registry teams API. (@nomadtechie)
    454c7dd60 #456 fix git configs for git 2.23 and above (@isaacs)

    DEPENDENCIES
    661d86cd2 make-fetch-happen@5.0.2 (@claudiahdz)

6.13.0 (2019-11-05)
    NEW FEATURES
    4414b06d9 #273 add fund command (@ruyadorno)

    BUG FIXES
    e4455409f #281 delete ps1 files on package removal (@NoDocCat)
    cd14d4701 #279 update supported node list to remove v6.0, v6.1, v9.0 - v9.2 (@ljharb)

    DEPENDENCIES
    a37296b20 pacote@9.5.9
    d3cb3abe8 read-cmd-shim@1.0.5

    TESTING
    688cd97be #272 use github actions for CI (@JasonEtco)
    9a2d8af84 #240 Clean up some flakiness and inconsistency (@isaacs)
2019-11-25 02:04:39 +01:00
ahmadine
0a0b90c4d0 referer: change referrer policy. Stop sending referers as much as possible
Pull request with discussion: https://github.com/ether/etherpad-lite/pull/3636

What's already there:
* `meta name=referrer`: already done in 1.6.1:
  https://github.com/ether/etherpad-lite/pull/3044

  https://caniuse.com/#feat=referrer-policy
  https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta
  (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1])

The previous two commits (by @joelpurra) I backported in this batch:
* `<a rel=noreferrer>`: a pull request denied before:
  https://github.com/ether/etherpad-lite/pull/2498

  https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
  https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types
  (Firefox>=37, I can't find more info about support)

This commit adds the following:
* `<a rel="noopener">`: fixing a not-so-well-known way to extract referer
  https://html.spec.whatwg.org/multipage/links.html#link-type-noopener
  (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge)

* `Referrer-Policy: same-origin`: the last bastion of referrer security
  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
  (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge)

meta name=referrer wasn't enough. I happened to leak a few referrers with my
Firefox browser, though for some browsers it could have been enough.

[1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it
    most probably incompatible (but I may be wrong on that, they may support
    both, but I have no way to test it currently). The next Edge release will be
    based on Chromium, so for that the Chrome version applies.
2019-11-25 00:05:40 +01:00
Joel Purra
2a44c83250 referer: exported html pads no longer leak URL/location through referer header
Exported HTML can, when loaded from disk or an online server, also leak the
location. Applying the `rel="noreferrer"` HTML5 standard mitigate the problem
for compatible browsers.

https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer

This commit was originally part of https://github.com/ether/etherpad-lite/pull/2498
2019-11-25 00:05:40 +01:00
Joel Purra
f314460b7c referer: HTML5 browsers no longer leak pad through HTTP referer header
Added `rel="noreferrer"` to automatically generated links in the main pad window
as well as the chat window.

`rel="noreferrer"` is part of the HTML5 standard. While browser support isn't
100%, it's better than nothing. Future alternative solutions with wider browser
support, such as intermediary redirect pages, are unaffected by this change.

https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer

This commit was originally part of https://github.com/ether/etherpad-lite/pull/2498
2019-11-25 00:05:40 +01:00
translatewiki.net
14d81ecef8 Localisation updates from https://translatewiki.net. 2019-11-18 18:11:48 +01:00
muxator
30fd53f1fd docker: move docker/settings.json to /settings.json.docker 2019-11-08 23:50:50 +01:00
Pierre Prinetti
dc15f4a43c docker: build from the local working directory
With this change, the Dockerfile builds the Docker image from the code
checked out in the local filesystem, instead of downloading a revision
from git.

Implements #3657
2019-11-08 22:56:30 +01:00