mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-20 23:46:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

cookies: Use js-cookie to read and write cookies

Browse source 
Rather than reinvent the wheel, use a well-tested library to parse and
write cookies. This should also help prevent XSS vulnerabilities
because the library handles special characters such as semicolon.
This commit is contained in:
Richard Hansen 2020-10-02 18:43:12 -04:00 committed by John McLear
parent d55edebddd
commit 3ab0f30ac8
9 changed files with 54 additions and 96 deletions
Download patch file Download diff file Expand all files Collapse all files

13
src/node/utils/Minify.js
View file

@ -44,12 +44,13 @@ var threadsPool = Threads.Pool(function () {
}, 2) }, 2)
var LIBRARY_WHITELIST = [ var LIBRARY_WHITELIST = [
'async' 'async',
, 'security' 'js-cookie',
, 'tinycon' 'security',
, 'underscore' 'tinycon',
, 'unorm' 'underscore',
]; 'unorm',
];
// Rewrite tar to include modules with no extensions and proper rooted paths. // Rewrite tar to include modules with no extensions and proper rooted paths.
var LIBRARY_PREFIX = 'ep_etherpad-lite/static/js'; var LIBRARY_PREFIX = 'ep_etherpad-lite/static/js';

1
src/node/utils/tar.json
View file

@ -17,6 +17,7 @@
, "pad_connectionstatus.js" , "pad_connectionstatus.js"
, "chat.js" , "chat.js"
, "gritter.js" , "gritter.js"
, "$js-cookie/src/js.cookie.js"
, "$tinycon/tinycon.js" , "$tinycon/tinycon.js"
, "excanvas.js" , "excanvas.js"
, "farbtastic.js" , "farbtastic.js"

5
src/package-lock.json generated
View file

@ -2656,6 +2656,11 @@
"istanbul-lib-report": "^3.0.0" "istanbul-lib-report": "^3.0.0"
} }
}, },
"js-cookie": {
"version": "2.2.1",
"resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-2.2.1.tgz",
"integrity": "sha512-HvdH2LzI/EAZcUwA8+0nKNtWHqS+ZmijLA30RwZA0bo7ToCckjK5MkGhjED9KoRcXO6BaGI3I9UIzSA1FKFPOQ=="
},
"js-tokens": { "js-tokens": {
"version": "4.0.0", "version": "4.0.0",
"resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz", "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",

1
src/package.json
View file

@ -46,6 +46,7 @@
"formidable": "1.2.1", "formidable": "1.2.1",
"graceful-fs": "4.2.4", "graceful-fs": "4.2.4",
"http-errors": "1.7.3", "http-errors": "1.7.3",
"js-cookie": "^2.2.1",
"jsonminify": "0.4.1", "jsonminify": "0.4.1",
"languages4translatewiki": "0.1.3", "languages4translatewiki": "0.1.3",
"lodash.clonedeep": "4.5.0", "lodash.clonedeep": "4.5.0",

34
src/static/js/pad.js
View file

@ -30,6 +30,7 @@ require('./jquery');
require('./farbtastic'); require('./farbtastic');
require('./excanvas'); require('./excanvas');
const Cookies = require('./pad_utils').Cookies;
var chat = require('./chat').chat; var chat = require('./chat').chat;
var getCollabClient = require('./collab_client').getCollabClient; var getCollabClient = require('./collab_client').getCollabClient;
var padconnectionstatus = require('./pad_connectionstatus').padconnectionstatus; var padconnectionstatus = require('./pad_connectionstatus').padconnectionstatus;
@ -42,8 +43,6 @@ var padsavedrevs = require('./pad_savedrevs');
var paduserlist = require('./pad_userlist').paduserlist; var paduserlist = require('./pad_userlist').paduserlist;
var padutils = require('./pad_utils').padutils; var padutils = require('./pad_utils').padutils;
var colorutils = require('./colorutils').colorutils; var colorutils = require('./colorutils').colorutils;
var createCookie = require('./pad_utils').createCookie;
var readCookie = require('./pad_utils').readCookie;
var randomString = require('./pad_utils').randomString; var randomString = require('./pad_utils').randomString;
var gritter = require('./gritter').gritter; var gritter = require('./gritter').gritter;
@ -83,7 +82,7 @@ var getParameters = [
{ name: "rtl", checkVal: "true", callback: function(val) { settings.rtlIsTrue = true } }, { name: "rtl", checkVal: "true", callback: function(val) { settings.rtlIsTrue = true } },
{ name: "alwaysShowChat", checkVal: "true", callback: function(val) { if(!settings.hideChat) chat.stickToScreen(); } }, { name: "alwaysShowChat", checkVal: "true", callback: function(val) { if(!settings.hideChat) chat.stickToScreen(); } },
{ name: "chatAndUsers", checkVal: "true", callback: function(val) { chat.chatAndUsers(); } }, { name: "chatAndUsers", checkVal: "true", callback: function(val) { chat.chatAndUsers(); } },
{ name: "lang", checkVal: null, callback: function(val) { window.html10n.localize([val, 'en']); createCookie('language', val); } } { name: "lang", checkVal: null, callback: function(val) { window.html10n.localize([val, 'en']); Cookies.set('language', val); } },
]; ];
function getParams() function getParams()
@ -130,7 +129,7 @@ function getUrlVars()
function savePassword() function savePassword()
{ {
//set the password cookie //set the password cookie
createCookie("password",$("#passwordinput").val(),null,document.location.pathname); Cookies.set('password', $('#passwordinput').val(), {path: document.location.pathname});
//reload //reload
document.location=document.location; document.location=document.location;
return false; return false;
@ -149,25 +148,21 @@ function sendClientReady(isReconnect, messageType)
document.title = padId.replace(/_+/g, ' ') + " | " + title; document.title = padId.replace(/_+/g, ' ') + " | " + title;
} }
var token = readCookie("token"); let token = Cookies.get('token');
if (token == null) if (token == null)
{ {
token = "t." + randomString(); token = "t." + randomString();
createCookie("token", token, 60); Cookies.set('token', token, {expires: 60});
} }
var encodedSessionID = readCookie('sessionID'); const msg = {
var sessionID = encodedSessionID == null ? null : decodeURIComponent(encodedSessionID); component: 'pad',
var password = readCookie("password"); type: messageType,
padId: padId,
var msg = { sessionID: Cookies.get('sessionID'),
"component": "pad", password: Cookies.get('password'),
"type": messageType, token: token,
"padId": padId, protocolVersion: 2
"sessionID": sessionID,
"password": password,
"token": token,
"protocolVersion": 2
}; };
// this is a reconnect, lets tell the server our revisionnumber // this is a reconnect, lets tell the server our revisionnumber
@ -456,7 +451,6 @@ var pad = {
{ {
pad.collabClient.sendClientMessage(msg); pad.collabClient.sendClientMessage(msg);
}, },
createCookie: createCookie,
init: function() init: function()
{ {
@ -957,8 +951,6 @@ var settings = {
pad.settings = settings; pad.settings = settings;
exports.baseURL = ''; exports.baseURL = '';
exports.settings = settings; exports.settings = settings;
exports.createCookie = createCookie;
exports.readCookie = readCookie;
exports.randomString = randomString; exports.randomString = randomString;
exports.getParams = getParams; exports.getParams = getParams;
exports.getUrlVars = getUrlVars; exports.getUrlVars = getUrlVars;

11
src/static/js/pad_cookie.js
View file

@ -14,8 +14,7 @@
* limitations under the License. * limitations under the License.
*/ */
const createCookie = require('./pad_utils').createCookie; const Cookies = require('./pad_utils').Cookies;
const readCookie = require('./pad_utils').readCookie;
exports.padcookie = new class { exports.padcookie = new class {
constructor() { constructor() {
@ -40,17 +39,17 @@ exports.padcookie = new class {
} }
readPrefs_() { readPrefs_() {
const jsonEsc = readCookie(this.cookieName_);
if (jsonEsc == null) return null;
try { try {
return JSON.parse(unescape(jsonEsc)); const json = Cookies.get(this.cookieName_);
if (json == null) return null;
return JSON.parse(json);
} catch (e) { } catch (e) {
return null; return null;
} }
} }
savePrefs_() { savePrefs_() {
createCookie(this.cookieName_, escape(JSON.stringify(this.prefs_)), 365 * 100); Cookies.set(this.cookieName_, JSON.stringify(this.prefs_), {expires: 365 * 100});
} }
getPref(prefName) { getPref(prefName) {

3
src/static/js/pad_editor.js
View file

@ -20,6 +20,7 @@
* limitations under the License. * limitations under the License.
*/ */
const Cookies = require('./pad_utils').Cookies;
var padcookie = require('./pad_cookie').padcookie; var padcookie = require('./pad_cookie').padcookie;
var padutils = require('./pad_utils').padutils; var padutils = require('./pad_utils').padutils;
@ -108,7 +109,7 @@ var padeditor = (function()
}) })
$("#languagemenu").val(html10n.getLanguage()); $("#languagemenu").val(html10n.getLanguage());
$("#languagemenu").change(function() { $("#languagemenu").change(function() {
pad.createCookie("language",$("#languagemenu").val(),null,'/'); Cookies.set('language', $('#languagemenu').val());
window.html10n.localize([$("#languagemenu").val(), 'en']); window.html10n.localize([$("#languagemenu").val(), 'en']);
}); });
}, },

52
src/static/js/pad_utils.js
View file

@ -39,49 +39,6 @@ function randomString(len)
return randomstring; return randomstring;
} }
function createCookie(name, value, days, path){ /* Used by IE */
if (days)
{
var date = new Date();
date.setTime(date.getTime() + (days * 24 * 60 * 60 * 1000));
var expires = "; expires=" + date.toGMTString();
}
else{
var expires = "";
}
if(!path){ // IF the Path of the cookie isn't set then just create it on root
path = "/";
}
//Check if we accessed the pad over https
var secure = window.location.protocol == "https:" ? ";secure" : "";
var isHttpsScheme = window.location.protocol === "https:";
var sameSite = isHttpsScheme ? ";sameSite=Strict": ";sameSite=Lax";
//Check if the browser is IE and if so make sure the full path is set in the cookie
if((navigator.appName == 'Microsoft Internet Explorer') || ((navigator.appName == 'Netscape') && (new RegExp("Trident/.*rv:([0-9]{1,}[\.0-9]{0,})").exec(navigator.userAgent) != null))){
document.cookie = name + "=" + value + expires + "; path=/" + secure + sameSite; /* Note this bodge fix for IE is temporary until auth is rewritten */
}
else{
document.cookie = name + "=" + value + expires + "; path=" + path + secure + sameSite;
}
}
function readCookie(name)
{
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for (var i = 0; i < ca.length; i++)
{
var c = ca[i];
while (c.charAt(0) == ' ') c = c.substring(1, c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);
}
return null;
}
var padutils = { var padutils = {
escapeHtml: function(x) escapeHtml: function(x)
{ {
@ -571,7 +528,12 @@ padutils.setupGlobalExceptionHandler = setupGlobalExceptionHandler;
padutils.binarySearch = require('./ace2_common').binarySearch; padutils.binarySearch = require('./ace2_common').binarySearch;
// This file is included from Node so that it can reuse randomString, but Node doesn't have a global
// window object.
if (typeof window !== 'undefined') {
exports.Cookies = require('js-cookie/src/js.cookie');
exports.Cookies.defaults.sameSite = window.location.protocol === 'https:' ? 'Strict' : 'Lax';
exports.Cookies.defaults.secure = window.location.protocol === 'https:';
}
exports.randomString = randomString; exports.randomString = randomString;
exports.createCookie = createCookie;
exports.readCookie = readCookie;
exports.padutils = padutils; exports.padutils = padutils;

30
src/static/js/timeslider.js
View file

@ -24,8 +24,7 @@
// assigns to the global `$` and augments it with plugins. // assigns to the global `$` and augments it with plugins.
require('./jquery'); require('./jquery');
var createCookie = require('./pad_utils').createCookie; const Cookies = require('./pad_utils').Cookies;
var readCookie = require('./pad_utils').readCookie;
var randomString = require('./pad_utils').randomString; var randomString = require('./pad_utils').randomString;
var hooks = require('./pluginfw/hooks'); var hooks = require('./pluginfw/hooks');
@ -45,11 +44,11 @@ function init() {
document.title = padId.replace(/_+/g, ' ') + " | " + document.title; document.title = padId.replace(/_+/g, ' ') + " | " + document.title;
//ensure we have a token //ensure we have a token
token = readCookie("token"); token = Cookies.get('token');
if(token == null) if(token == null)
{ {
token = "t." + randomString(); token = "t." + randomString();
createCookie("token", token, 60); Cookies.set('token', token, {expires: 60});
} }
var loc = document.location; var loc = document.location;
@ -107,19 +106,16 @@ function init() {
//sends a message over the socket //sends a message over the socket
function sendSocketMsg(type, data) function sendSocketMsg(type, data)
{ {
var sessionID = decodeURIComponent(readCookie("sessionID")); socket.json.send({
var password = readCookie("password"); component: 'pad', // FIXME: Remove this stupidity!
type,
var msg = { "component" : "pad", // FIXME: Remove this stupidity! data,
"type": type, padId,
"data": data, token,
"padId": padId, sessionID: Cookies.get('sessionID'),
"token": token, password: Cookies.get('password'),
"sessionID": sessionID, protocolVersion: 2,
"password": password, });
"protocolVersion": 2};
socket.json.send(msg);
} }
var fireWhenAllScriptsAreLoaded = []; var fireWhenAllScriptsAreLoaded = [];