1. 19 Oct, 2020 1 commit
  2. 18 Sep, 2020 2 commits
  3. 17 Sep, 2020 1 commit
  4. 16 Sep, 2020 1 commit
  5. 15 Sep, 2020 18 commits
  6. 13 Sep, 2020 2 commits
    • webzwo0i's avatar
      packaging: remove pad_docbar.js (#4286) · ec6b9839
      webzwo0i authored
      package to reduce http requests: nice-select,
      pad_automatic_reconnect, skin_variants, scroll, caretPosition
      rename unorm in tar.json so it can be included
    • Richard Hansen's avatar
      security: Fix authentication bypass vulnerability · d0a16d23
      Richard Hansen authored
      Before, anyone who could create a socket.io connection to Etherpad
      could read, modify, and create pads at will without authenticating
      The `checkAccess` middleware in `webaccess.js` normally handles
      authentication and authorization, but it does not run for `/socket.io`
      requests. This means that the connection handler in `socketio.js` must
      handle authentication and authorization. However, before this change:
        * The handler did not require a signed `express_sid` cookie.
        * After loading the express-session state, the handler did not check
          to see if the user had authenticated.
      Now the handler requires a signed `express_sid` cookie, and it ensures
      that `socket.request.session.user` is non-null if authentication is
      required. (`socket.request.session.user` is non-null if and only if
      the user has authenticated.)
  7. 12 Sep, 2020 2 commits
    • John McLear's avatar
      Update responsiveness.js · 4434e543
      John McLear authored
      Changing allowed delay from 300 to 400 because Safari OSX is consistently slow compared to every other modern browser.
    • Richard Hansen's avatar
      SecurityManager: Refactor checkAccess for readability, correctness · 8b0baa96
      Richard Hansen authored
        * Move session validity check and session author ID fetch to a
          separate function. This separate function can be used by hooks,
          making it easier for them to properly determine the author ID.
        * Rewrite the remainder of checkAccess. Benefits:
            - The function is more readable and maintainable now.
            - Vulnerability fix: Before, the session IDs in sessionCookie
              were not validated when checking settings.requireSession. Now,
              sessionCookie must identify a valid session for the
              settings.requireSession test to pass.
            - Bug fix: Before, checkAccess would sometimes use the author ID
              associated with the token even if sessionCookie identified a
              valid session. Now it always uses the author ID associated
              with the session if available.
  8. 11 Sep, 2020 6 commits
  9. 10 Sep, 2020 1 commit
  10. 09 Sep, 2020 3 commits
  11. 08 Sep, 2020 3 commits