Commit graph

95 commits

Author SHA1 Message Date
John McLear
306e839bd8 docs: security notification 2021-02-15 12:45:31 -05:00
John McLear
b7e88cb904 security: New setting for Socket.IO maxHttpBufferSize 2021-02-15 12:45:31 -05:00
Richard Hansen
648e7c7342 docs: Mention improved import UX in CHANGELOG.md 2021-02-14 03:58:53 -05:00
Richard Hansen
e674d9789e
express: Change httpUptime to httpStartTime (#4777)
It's better to provide a primitive value and let the consumer of the
metric do math if desired.

Co-authored-by: John McLear <john@mclear.co.uk>
2021-02-14 07:50:10 +00:00
John McLear
13a0b0688f
docs: changelog update (#4776)
Co-authored-by: Richard Hansen <rhansen@rhansen.org>
2021-02-14 01:16:41 -05:00
Richard Hansen
ac52fb8a9d express: New httpUptime metric 2021-02-13 10:02:28 +00:00
Richard Hansen
50929fe7f7 express: Call expressConfigure, expressCreateServer hooks asynchronously 2021-02-12 07:08:51 +00:00
Richard Hansen
2301c6ec83 pad: Don't throw on socket.io error 2021-02-11 17:25:09 +00:00
John McLear
5d96cf9754
changelog 1.8.8 (#4725)
* changelog 1.8.8

* for squash: refine changelog

Co-authored-by: Richard Hansen <rhansen@rhansen.org>
2021-02-07 22:24:19 +00:00
John McLear
2ea8ea1275 restructure: move bin/ and tests/ to src/
Also add symlinks from the old `bin/` and `tests/` locations to avoid
breaking scripts and other tools.

Motivations:

  * Scripts and tests no longer have to do dubious things like:

        require('ep_etherpad-lite/node_modules/foo')

    to access packages installed as dependencies in
    `src/package.json`.

  * Plugins can access the backend test helper library in a non-hacky
    way:

        require('ep_etherpad-lite/tests/backend/common')

  * We can delete the top-level `package.json` without breaking our
    ability to lint the files in `bin/` and `tests/`.

    Deleting the top-level `package.json` has downsides: It will cause
    `npm` to print warnings whenever plugins are installed, npm will
    no longer be able to enforce a plugin's peer dependency on
    ep_etherpad-lite, and npm will keep deleting the
    `node_modules/ep_etherpad-lite` symlink that points to `../src`.

    But there are significant upsides to deleting the top-level
    `package.json`: It will drastically speed up plugin installation
    because `npm` doesn't have to recursively walk the dependencies in
    `src/package.json`. Also, deleting the top-level `package.json`
    avoids npm's horrible dependency hoisting behavior (where it moves
    stuff from `src/node_modules/` to the top-level `node_modules/`
    directory). Dependency hoisting causes numerous mysterious
    problems such as silent failures in `npm outdated` and `npm
    update`. Dependency hoisting also breaks plugins that do:

        require('ep_etherpad-lite/node_modules/foo')
2021-02-04 17:15:08 -05:00
freddii
ea202e41f6 docs: fixed typos 2021-02-03 00:30:07 +01:00
John McLear
0cc8405e9c Bump minimum required Node.js version to 10.17.0
This makes it possible to use fs.promises.
2021-01-30 17:00:40 -05:00
Richard Hansen
edbe6d5387 Bump ueberDB to get speed improvements 2021-01-11 09:23:08 +00:00
Richard Hansen
a55dd73f2b Typo fix: checkPlugins.js -> checkPlugin.js 2021-01-08 19:02:55 -05:00
John McLear
998c80607e changelog: updated changelog 2020-12-23 16:18:28 -05:00
Richard Hansen
b82bf5c726 Drop support for Internet Explorer 2020-12-19 19:13:31 +00:00
Richard Hansen
1ad9b1efbb Update CHANGELOG.md
Add new entries and refine wording/formatting of existing entries.
2020-11-10 07:22:22 +00:00
John McLear
89667f1d4f
update changelog for release (#4475) 2020-11-08 10:03:22 +00:00
John McLear
66df0a572f
Security: FEATURE REMOVAL: Remove all plain text password logic and ui (#4178)
This will be a breaking change for some people.  

We removed all internal password control logic.  If this affects you, you have two options:

1. Use a plugin for authentication and use session based pad access (recommended).
1. Use a plugin for password setting.

The reasoning for removing this feature is to reduce the overall security footprint of Etherpad.  It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own).
2020-10-07 13:43:54 +01:00
Richard Hansen
34b232d658
Update CHANGELOG.md with the changes so far (#4393) 2020-10-06 09:16:21 +02:00
Richard Hansen
df7fa1fd41
changelog: Mention fix for authz bypass vulnerability in 1.8.6 (#4318) 2020-09-20 19:21:46 +00:00
Stefan Mueller
299bd962b6 Update version to 1.8.6 and add changelog informations 2020-09-18 21:14:19 +02:00
Stefan Mueller
5e03a3b0fe Set changelog informations for new version 2020-09-08 22:10:27 +02:00
John McLear
2a28ff8526
Changelog (#4181) 2020-07-19 23:48:31 +01:00
John McLear
e22574c40f
Changelog 2020-06-10 15:43:09 +01:00
muxator
4365598658 release: prepare for 1.8.4 2020-05-15 02:09:18 +02:00
muxator
5e6af287a5 release: prepare for 1.8.3 2020-04-27 03:24:23 +02:00
muxator
684f374ece runtime: require node >= 10.13.0 LTS
At the moment, NodeJS 10.x is the lowest supported LTS version. NodeJS 8.x is no
longer supported upstream.

Implements #3835.
Planned in #3650.
2020-04-09 04:43:37 +02:00
John McLear
babf67175c undomodule: disallow undoing "clear authorship colors"
Clearing the authorship colors of a document with at least two authors, and then
undoing that action caused a disconnect from the pad.
This change disallows undoing clearing authorship colors in order to prevent
the problem from affecting users, and adds the relative test coverage.

This is a change of behaviour, and is documented in the changelog.

Fixes #2802 (sidestepping it).
2020-04-08 15:20:37 +02:00
muxator
a817acbbcc security: when served over https, set the "secure" flag for "express_sid" and "language" cookie
The mechanism used for determining if the application is being served over SSL
is wrapped by the "express-session" library for "express_sid", and manual for
the "language" cookie, but it's very similar in both cases.

The "secure" flag is set if one of these is true:

1. we are directly serving Etherpad over SSL using the native nodejs
   functionality, via the "ssl" options in settings.json

2. Etherpad is being served in plaintext by nodejs, but we are using a reverse
   proxy for terminating the SSL for us;
   In this case, the user has to be instructed to properly set trustProxy: true
   in settings.json, and the information wheter the application is over SSL or
   not will be extracted from the X-Forwarded-Proto HTTP header.

Please note that this will not be compatible with applications being served over
http and https at the same time.

The change on webaccess.js amends 009b61b338, which did not work when the SSL
termination was performed by a reverse proxy.

Reference for automatic "express_sid" configuration:
https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure

Closes #3561.
2019-12-07 04:36:01 +01:00
ahmadine
0a0b90c4d0 referer: change referrer policy. Stop sending referers as much as possible
Pull request with discussion: https://github.com/ether/etherpad-lite/pull/3636

What's already there:
* `meta name=referrer`: already done in 1.6.1:
  https://github.com/ether/etherpad-lite/pull/3044

  https://caniuse.com/#feat=referrer-policy
  https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta
  (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1])

The previous two commits (by @joelpurra) I backported in this batch:
* `<a rel=noreferrer>`: a pull request denied before:
  https://github.com/ether/etherpad-lite/pull/2498

  https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
  https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types
  (Firefox>=37, I can't find more info about support)

This commit adds the following:
* `<a rel="noopener">`: fixing a not-so-well-known way to extract referer
  https://html.spec.whatwg.org/multipage/links.html#link-type-noopener
  (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge)

* `Referrer-Policy: same-origin`: the last bastion of referrer security
  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
  (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge)

meta name=referrer wasn't enough. I happened to leak a few referrers with my
Firefox browser, though for some browsers it could have been enough.

[1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it
    most probably incompatible (but I may be wrong on that, they may support
    both, but I have no way to test it currently). The next Edge release will be
    based on Chromium, so for that the Chrome version applies.
2019-11-25 00:05:40 +01:00
muxator
7e44dc569b changelog: mention the conditional user creation feature (now that it's fixed) 2019-11-02 23:37:59 +01:00
muxator
4f53b35bcb changelog: reflect the fact that next release will be 1.8-beta.1
This change should have been part of 84479851fe.
2019-11-02 23:37:01 +01:00
muxator
55fb10c685 release: prepare for 1.8.0 2019-10-19 03:42:13 +02:00
muxator
705cc6f5e4 Change everywhere the link to https://etherpad.org (it was plain http) 2019-04-16 00:54:54 +02:00
muxator
a6656102d8 CHANGELOG.md: link to https://translatewiki.net instead of plain http 2019-04-16 00:53:00 +02:00
muxator
4f0a2785da release: prepare for 1.7.5
Written the changelog and updated package.json.
2019-01-26 00:16:03 +01:00
muxator
4408a1e505 release: prepare for 1.7.0
Written the changelog and updated package.json.

From now on, releases will be cut from develop, and merged directly into master.

Each release will be a tag on the master branch (e.g. 1.7.0).
A "release/1.7.0" branch will eventually be created only if/when a hotfix will
be needed.
2018-08-17 00:18:31 +02:00
muxator
60c1036ecb
changelog: put <ol> in backticks
Github's Markdown renderer broke the layout of the readme file.
Putting `<ol>` in backticks keeps it happy.
2018-07-20 12:33:45 +02:00
muxator
bfec44e346 Release version 1.6.6 2018-05-05 00:53:59 +02:00
muxator
e13ae0aec5 changelog: better specified CVE description
Previous commit was wrong.
Fixes #3372, really.
2018-05-04 23:24:58 +02:00
muxator
10d555bc91 changelog: better specified CVE description
fixes #3372
2018-05-04 23:15:22 +02:00
muxator
3eb3e301a2 manually updated CHANGELOG.md
due to createRelease.sh not catching an error from sed and continuing:
   sed: -e expression #1, char 66: unterminated `s' command
2018-04-10 00:50:28 +02:00
John McLear
0132f4d1da Include CVE # 2018-04-07 10:13:09 +01:00
John McLear
c34350f307 Beginning to make release 2018-04-07 09:22:13 +01:00
Stefan
1e25e7fc77 Release version 1.6.3 2018-02-03 12:57:22 +01:00
Stefan (Gared)
e84c696225 Updated CHANGELOG.md 2017-11-04 17:38:59 +01:00
Jonah Duckles
fcde66050e Fix markdown H1 2017-05-30 13:34:07 +12:00
Stefan
9f51432175 Update CHANGELOG.md 2016-12-23 22:12:18 +01:00
Stefan
5ed9f2736a Add version 1.6.0 changelogs 2016-04-24 21:32:21 +02:00