- 01 Apr, 2020 1 commit
-
-
Chocobozzz authored
This change augments what was already done in 54e0f2de5b20 (PR with discussion at #3636). For documentation about the meaning of "noopener, noreferrer", see: https://developer.mozilla.org/en-US/docs/Web/API/Window/open#Window_functionality_features
-
- 23 Mar, 2020 1 commit
-
-
Chocobozzz authored
minify: make conditional requests work. No HTTP/304 was ever generated and file were reminified uselessly. By specification [0], the if-modified-since HTTP header sent by browsers does not include milliseconds. Before this patch, let's say a file was generate at time: t_real-file = 2020-03-22T02:15:53.548Z (note the fractional seconds) When issuing a conditional request, the browser would truncate the fractional part, and only request an if-modified-since with this contents: t_if-modified-since = 2020-03-22T02:15:53.000Z The minify() function would return HTTP/304 only if t_if-modified-since >= t_real-file, but this would never be true unless, by chance, a file was generated at XX.000Z. This resulted in that file being minified/compressed again and resent to the client for no reason. After this patch, the server correctly responds with HTTP/304 without doing any computation, and the browser uses the cached file. [0] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since
-
- 07 Dec, 2019 5 commits
-
-
muxator authored
-
muxator authored
-
muxator authored
The mechanism used for determining if the application is being served over SSL is wrapped by the "express-session" library for "express_sid", and manual for the "language" cookie, but it's very similar in both cases. The "secure" flag is set if one of these is true: 1. we are directly serving Etherpad over SSL using the native nodejs functionality, via the "ssl" options in settings.json 2. Etherpad is being served in plaintext by nodejs, but we are using a reverse proxy for terminating the SSL for us; In this case, the user has to be instructed to properly set trustProxy: true in settings.json, and the information wheter the application is over SSL or not will be extracted from the X-Forwarded-Proto HTTP header. Please note that this will not be compatible with applications being served over http and https at the same time. The change on webaccess.js amends 009b61b3, which did not work when the SSL termination was performed by a reverse proxy. Reference for automatic "express_sid" configuration: https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure Closes #3561.
-
muxator authored
No functional changes.
-
muxator authored
The "io" cookie is created by socket.io, and its purpose is to offer an handle to perform load balancing with session stickiness when the library falls back to long polling or below. In Etherpad's case, if an operator needs to load balance, he can use the "express_sid" cookie, and thus "io" is of no use. Moreover, socket.io API does not offer a way of setting the "secure" flag on it, and thus is a liability. Let's simply nuke it. References: https://socket.io/docs/using-multiple-nodes/#Sticky-load-balancing https://github.com/socketio/socket.io/issues/2276#issuecomment-147184662 (not totally true, actually, see above)
-
- 05 Dec, 2019 1 commit
-
-
IRobL authored
-
- 02 Dec, 2019 1 commit
-
-
Pierre Prinetti authored
Before this change, the docker user had home in a directory it had no permissions on. The inability of creating a cache directory in `$HOME` prevented npm to work properly. Additionally, the `node_modules` in the base working directory had its owner set to root, preventing further changes. With this change, the `etherpad` user has a home directory. Additionally, `npm i` is now run by `etherpad` rather than the root user; this way, it is possible to dynamically change the `node_modules` content in day 2 operations. Note that while switching to the `useradd` builtin, a conflict was discovered with the GID 65534 that was previously used. This change is changing the `etherpad` user's UID to 5001 to avoid said conflict. As a consequence, a `chmod -R 5001:5001` must be run prior to attaching volumes created from previous Etherpad versions.
-
- 01 Dec, 2019 1 commit
-
-
muxator authored
In shell scripts an unquoted $* is rarely useful, for example because it breaks in presence of file names with spaces. References: - https://google.github.io/styleguide/shell.xml Use "$@" unless you have a specific reason to use $*. - https://unix.stackexchange.com/questions/41571/what-is-the-difference-between-and#94200 Short answer: use "$@" (note the double quotes). The other forms are very rarely useful.
-
- 30 Nov, 2019 1 commit
-
-
muxator authored
Revision 5879037d fixed a security bug, but introduced a regression, where on page load the js console showed: ReferenceError: require is not defined The reason was that the fix called require('../static/js/pad_utils') to load a module at a time when require() was still not defined. This change anticipates the loading of require-kernel, and manually loads pad_utils. The fix proposed in #3670 by aaron-costello, which seemed to do the right thing, anticipating the configuration phase of require-kernel, did not work. It had to be declined and replaced by this (less elegant) change.
-
- 25 Nov, 2019 1 commit
-
-
muxator authored
This upgrade solves the high-severity vulnerabilities regarding https-proxy-agent that were still present in 8e6bca45. The output of `npm audit` goes from this: found 29 vulnerabilities (3 low, 26 high) in 13338 scanned packages run `npm audit fix` to fix 4 of them. 1 vulnerability requires semver-major dependency updates. 24 vulnerabilities require manual review. See the full report for details. To this: found 5 vulnerabilities (3 low, 2 high) in 13338 scanned packages 1 vulnerability requires semver-major dependency updates. 4 vulnerabilities require manual review. See the full report for details. Changelog: - https://github.com/npm/cli/releases 6.13.1 (2019-11-18) BUG FIXES 938d6124d #472 fix(fund): support funding string shorthand (@ruyadorno) b49c5535b #471 should not publish tap-snapshot folder (@ruyadorno) 3471d5200 #253 Add preliminary WSL support for npm and npx (@infinnie) 3ef295f23 #486 print quick audit report for human output (@isaacs) TESTING dbbf977ac #278 added workflow to trigger and run benchmarks (@mikemimik) b4f5e3825 #457 feat(docs): adding tests and updating docs to reflect changes in registry teams API. (@nomadtechie) 454c7dd60 #456 fix git configs for git 2.23 and above (@isaacs) DEPENDENCIES 661d86cd2 make-fetch-happen@5.0.2 (@claudiahdz) 6.13.0 (2019-11-05) NEW FEATURES 4414b06d9 #273 add fund command (@ruyadorno) BUG FIXES e4455409f #281 delete ps1 files on package removal (@NoDocCat) cd14d4701 #279 update supported node list to remove v6.0, v6.1, v9.0 - v9.2 (@ljharb) DEPENDENCIES a37296b20 pacote@9.5.9 d3cb3abe8 read-cmd-shim@1.0.5 TESTING 688cd97be #272 use github actions for CI (@JasonEtco) 9a2d8af84 #240 Clean up some flakiness and inconsistency (@isaacs)
-
- 24 Nov, 2019 3 commits
-
-
ahmadine authored
Pull request with discussion: https://github.com/ether/etherpad-lite/pull/3636 What's already there: * `meta name=referrer`: already done in 1.6.1: https://github.com/ether/etherpad-lite/pull/3044 https://caniuse.com/#feat=referrer-policy https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1]) The previous two commits (by @joelpurra) I backported in this batch: * `<a rel=noreferrer>`: a pull request denied before: https://github.com/ether/etherpad-lite/pull/2498 https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types (Firefox>=37, I can't find more info about support) This commit adds the following: * `<a rel="noopener">`: fixing a not-so-well-known way to extract referer https://html.spec.whatwg.org/multipage/links.html#link-type-noopener (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge) * `Referrer-Policy: same-origin`: the last bastion of referrer security https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge) meta name=referrer wasn't enough. I happened to leak a few referrers with my Firefox browser, though for some browsers it could have been enough. [1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it most probably incompatible (but I may be wrong on that, they may support both, but I have no way to test it currently). The next Edge release will be based on Chromium, so for that the Chrome version applies.
-
Joel Purra authored
Exported HTML can, when loaded from disk or an online server, also leak the location. Applying the `rel="noreferrer"` HTML5 standard mitigate the problem for compatible browsers. https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer This commit was originally part of https://github.com/ether/etherpad-lite/pull/2498
-
Joel Purra authored
Added `rel="noreferrer"` to automatically generated links in the main pad window as well as the chat window. `rel="noreferrer"` is part of the HTML5 standard. While browser support isn't 100%, it's better than nothing. Future alternative solutions with wider browser support, such as intermediary redirect pages, are unaffected by this change. https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer This commit was originally part of https://github.com/ether/etherpad-lite/pull/2498
-
- 18 Nov, 2019 1 commit
-
-
- 08 Nov, 2019 5 commits
-
-
muxator authored
-
Pierre Prinetti authored
With this change, the Dockerfile builds the Docker image from the code checked out in the local filesystem, instead of downloading a revision from git. Implements #3657
-
muxator authored
This also means increasing the indentation level.
-
muxator authored
-
muxator authored
This change amends eea99fe5. https://docs.docker.com/engine/reference/builder/#user USER <user>[:<group>] or USER <UID>[:<GID>] The USER instruction sets the user name (or UID) and optionally the user group (or GID) to use when running the image and for any RUN, CMD and ENTRYPOINT instructions that follow it in the Dockerfile.
-
- 07 Nov, 2019 1 commit
-
-
muxator authored
-
- 02 Nov, 2019 5 commits
-
-
muxator authored
-
muxator authored
The change that implemented #3648 (7c099fef) was incorrect, and resulted in disabling every user at startup. The problem was twofold: 1. _.filter() on an object returns an array of the object's enumerable values and strips out the keys, see: https://stackoverflow.com/questions/11697702/how-to-use-underscore-js-filter-with-an-object To filter an object, the function that needs to be used is _.pick(); 2. The logic condition on userProperties.password was plain wrong (it should have been an AND instead of an OR). This change corrects 1) and 2), and writes more specific logs when something goes wrong. Closes #3661.
-
muxator authored
Please note that the logic of this functionality is incorrect: this change is in preparation of the next commit, which fixes it.
- 31 Oct, 2019 1 commit
-
-
muxator authored
This change reverts c4918efc, and basically negates what was done for #3396, but aligns better with current practices in the nodejs ecosystem. Pragmatically speaking, this will allow users, if they want, to use npm-force-resolutions (https://github.com/rogeriochaves/npm-force-resolutions) to manually fix security vulnerabilities. We had a problem for that (see #3598), and - given the fragmented nature of the nodejs ecosystem - it is reasonable to expect more issues like that one, so it's better to be prepared. Closes #3659.
-
- 01 Nov, 2019 1 commit
-
-
muxator authored
The previous attempt to directly release 1.8.0 had to be hold back, and indeed 1.8.0 was never tagged. Since 1.8.0 contains many changes, let's do a prerelease instead. Closes #3660
-
- 31 Oct, 2019 1 commit
-
-
muxator authored
-
- 25 Oct, 2019 1 commit
-
-
Pierre Prinetti authored
The "conditional copy trick" was removed in #3644, but I failed to update the corresponding comment.
-
- 24 Oct, 2019 2 commits
-
-
-
Pierre Prinetti authored
Processes in containers should not run as root. This change creates an unprivileged user in the Docker container, and runs the main process using that user. References: * https://en.wikipedia.org/wiki/Principle_of_least_privilege * https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b * https://www.twistlock.com/labs-blog/non-root-containers-kubernetes-cve-2019-11245-care/ Fixes https://github.com/ether/etherpad-lite/issues/3629
-
- 22 Oct, 2019 2 commits
-
-
muxator authored
A Docker base image without version is a bit of a moving target. Buster-slim, for example, is currently based on nodejs 12. For now, let's base our official Docker image on nodejs 10 (an LTS, non at End of Life, which we explicitly mention in the documentation). Amends a9a3bf9b and the corresponding PR #3646.
-
muxator authored
Without this, on nodejs 10 and 12 (and maybe 8, not tested), Etherpad failed to start, throwing the following error: [2019-10-22 19:01:01.439] [ERROR] console - exception thrown: Maximum call stack size exceeded [2019-10-22 19:01:01.439] [INFO] console - RangeError: Maximum call stack size exceeded at Function.[Symbol.hasInstance] (<anonymous>) at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:194:14) at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:195:28) at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:195:28) at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:195:28) at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:195:28) at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:195:28) at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:195:28) at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:195:28) at ReadStream (/opt/etherpad-lite/src/node_modules/graceful-fs/graceful-fs.js:195:28) Fixes #3654.
-
- 21 Oct, 2019 1 commit
-
-
- 20 Oct, 2019 1 commit
-
-
muxator authored
-
- 19 Oct, 2019 3 commits
-
-
muxator authored
-
muxator authored
This upgrade should be backward compatible, but still suffers form major vulnerabilities in its https-proxy-agent transitive dependency (see https://www.npmjs.com/advisories/1184). Changelog: - https://github.com/npm/cli/releases 6.12.0 (2019-10-08): Now npm ci runs prepare scripts for git dependencies, and respects the --no-optional argument. Warnings for engine mismatches are printed again. Various other fixes and cleanups. BUG FIXES 890b245dc #252 ci: add dirPacker to options (@claudiahdz) f3299acd0 #257 npm.community#4792 warn message on engine mismatch (@ruyadorno) bbc92fb8f #259 npm.community#10288 Fix figgyPudding error in npm token (@benblank) 70f54dcb5 #241 doctor: Make OK more consistent (@gemal) FEATURES ed993a29c #249 Add CI environment variables to user-agent (@isaacs) f6b0459a4 #248 Add option to save package-lock without formatting Adds a new config --format-package-lock, which defaults to true. (@bl00mber) DEPENDENCIES 0ca063c5d npm-lifecycle@3.1.4: fix: filter functions and undefined out of makeEnv (@isaacs) 5df6b0ea2 libcipm@4.0.4: fix: pack git directories properly (@claudiahdz) respect no-optional argument (@cruzdanilo) 7e04f728c tar@4.4.12 5c380e5a3 stringify-package@1.0.1 (@isaacs) 62f2ca692 node-gyp@5.0.5 (@isaacs) 0ff0ea47a npm-install-checks@3.0.2 (@isaacs) f46edae94 hosted-git-info@2.8.5 (@isaacs) TESTING 44a2b036b #262 fix root-ownership race conditions in meta-test (@isaacs) 6.11.3 (2019-09-03): Fix npm ci regressions and npm outdated depth. BUG FIXES 235ed1d28 #239 Don't override user specified depth in outdated. Restores ability to update packages using --depth as suggested by npm audit. (@G-Rath) 1fafb5151 #242 npm.community#9586 Revert "install: do not descend into directory deps' child modules" (@isaacs) cebf542e6 #243 npm.community#9720 ci: pass appropriate configs for file/dir modes (@isaacs) DEPENDENCIES e5fbb7ed1 read-cmd-shim@1.0.4 (@claudiahdz) 23ce65616 npm-pick-manifest@3.0.2 (@claudiahdz) 6.11.2 (2019-08-22): Fix a recent Windows regression, and two long-standing Windows bugs. Also, get CI running on Windows, so these things are less likely in the future. DEPENDENCIES 9778a1b87 cmd-shim@3.0.3: Fix regression where shims fail to preserve exit code (@isaacs) bf93e91d8 npm-package-arg@6.1.1: Properly handle git+file: urls on Windows when a drive letter is included. (@isaacs) BUGFIXES 6cc4cc66f escape args properly on Windows Bash Despite being bash, Node.js running on windows git mingw bash still executes child processes using cmd.exe. As a result, arguments in this environment need to be escaped in the style of cmd.exe, not bash. (@isaacs) TESTS 291aba7b8 make tests pass on Windows (@isaacs) fea3a023a travis: run tests on Windows as well (@isaacs) 6.11.1 (2019-08-20): Fix a regression for windows command shim syntax. 37db29647 cmd-shim@3.0.2 (@isaacs) v6.11.0 (2019-08-20): A few meaty bugfixes, and introducing peerDependenciesMeta. FEATURES a12341088 #224 Implements peerDependenciesMeta (@arcanis) 2f3b79bba #234 add new forbidden 403 error code (@claudiahdz) BUGFIXES 24acc9fc8 and 45772af0d #217 npm.community#8863 npm.community#9327 do not descend into directory deps' child modules, fix shrinkwrap files that inappropriately list child nodes of symlink packages (@isaacs and @salomvary) 50cfe113d #229 fixed typo in semver doc (@gall0ws) e8fb2a1bd #231 Fix spelling mistakes in CHANGELOG-3.md (@XhmikosR) 769d2e057 npm/uid-number#7 Better error on invalid --user/--group configs. This addresses the issue when people fail to install binary packages on Docker and other environments where there is no 'nobody' user. (@isaacs) 8b43c9624 nodejs/node#28987 npm.community#6032 npm.community#6658 npm.community#6069 npm.community#9323 Fix the regression where random config values in a .npmrc file are not passed to lifecycle scripts, breaking build processes which rely on them. (@isaacs) 8b85eaa47 save files with inferred ownership rather than relying on SUDO_UID and SUDO_GID. (@isaacs) b7f6e5f02 Infer ownership of shrinkwrap files (@isaacs) 54b095d77 #235 Add spec to dist-tag remove function (@theberbie) DEPENDENCIES dc8f9e52f pacote@9.5.7: Infer the ownership of all unpacked files in node_modules, so that we never have user-owned files in root-owned folders, or root-owned files in user-owned folders. (@isaacs) bb33940c3 cmd-shim@3.0.0: 9c93ac3 #2 npm#3380 Handle environment variables properly (@basbossink) 2d277f8 #25 #36 #35 Fix 'no shebang' case by always providing $basedir in shell script (@igorklopov) adaf20b #26 Fix $* causing an error when arguments contain parentheses (@satazor) 49f0c13 #30 Fix paths for MSYS/MINGW bash (@dscho) 51a8af3 #34 Add proper support for PowerShell (@ExE-Boss) 4c37e04 #10 Work around quoted batch file names (@isaacs) a4e279544 npm-lifecycle@3.1.3 (@isaacs): fail properly if uid-number raises an error 7086a1809 libcipm@4.0.3 (@isaacs) 8845141f9 read-package-json@2.1.0 (@isaacs) 51c028215 bin-links@1.1.3 (@isaacs) 534a5548c read-cmd-shim@1.0.3 (@isaacs) 3038f2fd5 gentle-fs@2.2.1 (@isaacs) a609a1648 graceful-fs@4.2.2 (@isaacs) f0346f754 cacache@12.0.3 (@isaacs) ca9c615c8 npm-pick-manifest@3.0.0 (@isaacs) b417affbf pacote@9.5.8 (@isaacs) TESTS b6df0913c #228 Proper handing of /usr/bin/node lifecycle-path test (@olivr70) aaf98e88c npm-registry-mock@1.3.0 (@isaacs)
-
muxator authored
This upgrade should be backward compatible. Changelog: - https://github.com/expressjs/session/blob/master/HISTORY.md 1.17.0 / 2019-10-10 deps: cookie@0.4.0 Add SameSite=None support deps: safe-buffer@5.2.0 1.16.2 / 2019-06-12 Fix restoring cookie.originalMaxAge when store returns Date deps: parseurl@~1.3.3
-