GitLab

New feature to copy a pad without copying entire history.  This is useful to perform a low CPU intensive operation while still copying current pad state.

Before, a malicious user could bypass authorization restrictions
imposed by the authorize hook:

 * Step 1: Fetch any resource that the malicious user is authorized to
   access (e.g., static content).
 * Step 2: Use the signed express_sid cookie generated in step 1 to
   create a socket.io connection.
 * Step 3: Perform the CLIENT_READY handshake for the desired pad.
 * Step 4: Profit!

Now the authorization decision made by the authorize hook is
propagated to SecurityManager so that it can approve or reject
socket.io messages as appropriate.

This also sets up future support for per-user read-only and
modify-only (no create) authorization levels.

If mocha hangs after running the tests, hit Ctrl-C and wtfnode will
print open files, open sockets, running timers, and running intervals.
Adding an `after` function that closes/stops all of those things will
ensure that mocha exits when it finishes running the tests.

Somehow I introduced this bug in commit
2bc26b8e but never noticed.

Authentication plugins almost always want to read and modify
`settings.users`. The settings can already be accessed in a few other
ways, but this is much more convenient.

The authorization logic determines whether the user has already
successfully authenticated by looking to see if `req.session.user`
exists. If an authentication plugin says that it successfully
authenticated the user but it did not create `req.session.user` then
authentication will re-run for every access, and authorization plugins
will be unable to determine whether the user has been authenticated.
Return a 500 internal server error to prevent these problems.

Also simplify the logic.

Before it only logged an error like this:

    SyntaxError: Unexpected string in JSON at position XYZ

Now it also logs the filename, making it easier to figure out where
the bad data is:

    failed to read file /path/to/etherpad-lite/src/locales/en.json: SyntaxError: Unexpected string in JSON at position XYZ

In addition to providing defense in depth, this change makes it easier
to implement future enhancements such as support for read-only users.

socket.io expects Error objects, otherwise it won't propagate the
message to the client.

Also do some cleanup.

Tested with both `no-skin` and `colibris`.

package to reduce http requests: nice-select,
pad_automatic_reconnect, skin_variants, scroll, caretPosition

rename unorm in tar.json so it can be included

Before, anyone who could create a socket.io connection to Etherpad
could read, modify, and create pads at will without authenticating
first.

The `checkAccess` middleware in `webaccess.js` normally handles
authentication and authorization, but it does not run for `/socket.io`
requests. This means that the connection handler in `socketio.js` must
handle authentication and authorization. However, before this change:
  * The handler did not require a signed `express_sid` cookie.
  * After loading the express-session state, the handler did not check
    to see if the user had authenticated.

Now the handler requires a signed `express_sid` cookie, and it ensures
that `socket.request.session.user` is non-null if authentication is
required. (`socket.request.session.user` is non-null if and only if
the user has authenticated.)

Changing allowed delay from 300 to 400 because Safari OSX is consistently slow compared to every other modern browser.

  * Move session validity check and session author ID fetch to a
    separate function. This separate function can be used by hooks,
    making it easier for them to properly determine the author ID.
  * Rewrite the remainder of checkAccess. Benefits:
      - The function is more readable and maintainable now.
      - Vulnerability fix: Before, the session IDs in sessionCookie
        were not validated when checking settings.requireSession. Now,
        sessionCookie must identify a valid session for the
        settings.requireSession test to pass.
      - Bug fix: Before, checkAccess would sometimes use the author ID
        associated with the token even if sessionCookie identified a
        valid session. Now it always uses the author ID associated
        with the session if available.

The function doesn't create the session info -- it creates the auth
property of existing session info.

Before, this function referred to the same author ID in different ways
in different places. Use one spelling to make the code easier to read.

`decodeURIComponent(null)` returns the string `'null'`, which we don't
want.

Version 1.8.5