etherpad-lite

mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-26 02:16:16 -04:00

Author	SHA1	Message	Date
Ray Bellis	fc661ee13a	core: allow URL parameters and POST bodies to co-exist. Node 8.14.0 prohibits HTTP headers that exceed 8 KB (source: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/#denial-of-service-with-large-http-headers-cve-2018-12121). This patch allows for the parameters within the body of an HTTP POST request to be used in addition to those within the URL (and will override them). Closes #3568. --- Muxator 2019-10-19: - this commit was cherry-picked from `882b93487f` - it was modified to include the necessary changes in the documentation	2019-06-27 00:52:53 +02:00
muxator	7c099fef5e	settings: do not create a user if he has no password field, or if his password is null. This will be used by the settings.json in the default Dockerfile to eschew creating an admin user when no password is set. Closes #3648.	2019-10-19 00:54:56 +02:00
aaron-costello	5879037ddc	security: support for clean & safe error handling on IE 11 Added pad_utils sanitization for clean and safe error handling on browsers that do not encode the path of the URL. Edited by muxator based on https://github.com/ether/etherpad-lite/pull/3647, to be able to apply the patch on develop (the PR was for master), and perform minor cleanups (mainly spurious statements). Closes #3647.	2019-10-18 21:00:11 +01:00
translatewiki.net	c65c5f17aa	Localisation updates from https://translatewiki.net .	2019-10-14 17:20:29 +02:00
muxator	5eb60cef01	jQuery: update vendored version (1.9.1 -> 1.12.4) The vendored jquery version was 1.9.1 from 2013-02-04. Let's replace it with the most recent one from the 1.x branch (1.12.4 from 2016-05-20). The modification in rjquery.js is needed because recent jQuery versions changed their behaviour, and do not set themselves on the global window object. See: https://github.com/parcel-bundler/parcel/issues/333#issuecomment-357882648 This will be the lastest jQuery 1.x version ever, because 1.x branch is definitively EOLed (see https://github.com/jquery/jquery.com/issues/162). This is a stopgap measure to get the latest security fixes. Going forward, another strategy will be needed. Closes #3640	2019-09-16 22:55:53 +02:00
translatewiki.net	b3d8f857b7	Localisation updates from https://translatewiki.net .	2019-09-16 18:48:33 +02:00
translatewiki.net	506f4775cc	Localisation updates from https://translatewiki.net .	2019-09-12 15:55:45 +02:00
translatewiki.net	a98cfe33de	Localisation updates from https://translatewiki.net .	2019-09-06 06:47:40 +02:00
Moritz Jordan	0a8e32563b	Fix Unicode bug in HTML export	2019-08-12 00:41:17 +02:00
muxator	161a38efd2	dependencies: update wd, 1.11.1 -> 1.11.3 This is a dev dependency, so no real risks, but it's better not to scare users. Previously reported vulnerabilities fixed by this change: $ npm audit === npm audit security report === # Run npm install --save-dev wd@1.11.3 to resolve 1 vulnerability ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ wd [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ wd > lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/1065 │ └───────────────┴──────────────────────────────────────────────────────────────┘ # Run npm update lodash --depth 3 to resolve 1 vulnerability ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ wd [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ wd > async > lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/1065 │ └───────────────┴──────────────────────────────────────────────────────────────┘	2019-08-08 22:29:58 +02:00
muxator	d555b052cb	dependencies: update npm, 6.4.1 -> 6.10.3 This was an arbitrary file overwrite vulnerability in tar. A fix in the library was available, but npm and npm-lifecycle took a while to issue updated versions. Resolves #3598. Previously reported vulnerabilities fixed by this change: $ npm audit === npm audit security report === # Run npm install npm@6.10.3 to resolve 9 vulnerabilities ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Arbitrary File Overwrite │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ tar │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ npm │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ npm > libcipm > npm-lifecycle > node-gyp > tar │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/803 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Arbitrary File Overwrite │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ tar │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ npm │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ npm > npm-lifecycle > node-gyp > tar │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/803 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Arbitrary File Overwrite │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ tar │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ npm │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ npm > node-gyp > tar │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/803 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Arbitrary File Overwrite │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ fstream │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ npm │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ npm > libcipm > npm-lifecycle > node-gyp > fstream │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/886 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Arbitrary File Overwrite │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ fstream │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ npm │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ npm > npm-lifecycle > node-gyp > fstream │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/886 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Arbitrary File Overwrite │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ fstream │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ npm │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ npm > node-gyp > fstream │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/886 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Arbitrary File Overwrite │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ fstream │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ npm │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ npm > libcipm > npm-lifecycle > node-gyp > tar > fstream │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/886 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Arbitrary File Overwrite │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ fstream │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ npm │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ npm > npm-lifecycle > node-gyp > tar > fstream │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/886 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Arbitrary File Overwrite │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ fstream │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ npm │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ npm > node-gyp > tar > fstream │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/886 │ └───────────────┴──────────────────────────────────────────────────────────────┘	2019-08-08 22:17:53 +02:00
Richlv	2c9383b69e	minor typo fix	2019-08-08 21:58:30 +02:00
translatewiki.net	df03257d9c	Localisation updates from https://translatewiki.net .	2019-08-08 20:05:35 +02:00
translatewiki.net	ea0554d70f	Localisation updates from https://translatewiki.net .	2019-08-05 12:02:28 +02:00
translatewiki.net	4e601dd03b	Localisation updates from https://translatewiki.net .	2019-08-01 18:19:57 +02:00
translatewiki.net	1845e91909	Localisation updates from https://translatewiki.net .	2019-07-29 14:23:20 +02:00
translatewiki.net	832e63c691	Localisation updates from https://translatewiki.net .	2019-07-15 20:01:25 +02:00
translatewiki.net	09d89cd74a	Localisation updates from https://translatewiki.net .	2019-07-11 17:21:48 +02:00
translatewiki.net	3d0778d9c9	Localisation updates from https://translatewiki.net .	2019-07-08 20:05:10 +02:00
translatewiki.net	9a5f42450c	Localisation updates from https://translatewiki.net .	2019-07-05 07:05:14 +02:00
translatewiki.net	04a45fbe46	Localisation updates from https://translatewiki.net .	2019-06-13 20:05:10 +02:00
translatewiki.net	2a78dcfc38	Localisation updates from https://translatewiki.net .	2019-05-27 16:37:10 +02:00
translatewiki.net	033c6a8b7a	Localisation updates from https://translatewiki.net .	2019-05-17 12:15:48 +02:00
cupcakearmy	d88726b58d	colibris: the "ok" button was misaligned in Chrome When visiting Etherpad's home page with Chrome the "ok" button was not on the same line as the pad name text box. On Firefox & Safari there was no problem. Tested on Chrome 74. Fixes #3604.	2019-05-10 09:50:25 +02:00
translatewiki.net	f2b888e3ff	Localisation updates from https://translatewiki.net .	2019-05-06 16:39:54 +02:00
muxator	fc7d639f84	dependencies: update express-session, 1.15.6 -> 1.16.1 This is a non breaking change. From the changelog (https://github.com/expressjs/session/blob/v1.16.1/HISTORY.md#1161--2019-04-11): # 1.16.1 / 2019-04-11 - Fix error passing data option to Cookie constructor - Fix uncaught error from bad session data # 1.16.0 / 2019-04-10 - Catch invalid cookie.maxAge value earlier - Deprecate setting cookie.maxAge to a Date object - Fix issue where resave: false may not save altered sessions - Remove utils-merge dependency - Use safe-buffer for improved Buffer API - Use Set-Cookie as cookie header name for compatibility - deps: depd@~2.0.0 - Replace internal eval usage with Function constructor - Use instance methods on process to check for listeners - perf: remove argument reassignment - deps: on-headers@~1.0.2 - Fix res.writeHead patch missing return value	2019-05-04 17:15:36 +02:00
muxator	1435e203a8	dependencies: update graceful-fs, 4.1.11 -> 4.11.15 Minor change, but could not easily find a changelog on https://github.com/isaacs/node-graceful-fs	2019-05-04 16:56:03 +02:00
muxator	47ad347fac	dependencies: update cookie-parser, 1.4.3 -> 1.4.4 This is a non breaking change. From the changelog (https://github.com/expressjs/cookie-parser/blob/1.4.4/HISTORY.md#144--2019-02-12): # 1.4.4 / 2019-02-12 - perf: normalize secret argument only once	2019-05-04 16:49:33 +02:00
muxator	90b288b576	dependencies: update nyc, 12.0.1 -> 14.1.0 This is just a dev dependency, so no real risks, but it's better not to scare users. Reported vulnerability before this change: $ npm audit === npm audit security report === # Run npm install --save-dev nyc@14.1.0 to resolve 1 vulnerability SEMVER WARNING: Recommended action is a potentially breaking change ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ handlebars │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ nyc [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ nyc > istanbul-reports > handlebars │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/755 │ └───────────────┴──────────────────────────────────────────────────────────────┘	2019-05-03 23:27:35 +02:00
translatewiki.net	a7220558d2	Localisation updates from https://translatewiki.net .	2019-05-02 18:00:18 +02:00
translatewiki.net	c9664804f1	Localisation updates from https://translatewiki.net .	2019-04-29 17:28:56 +02:00
translatewiki.net	ba9b9c9931	Localisation updates from https://translatewiki.net .	2019-04-18 16:59:41 +02:00
Tristram Gräbener	357780d573	Display the version in the web interface In the settings drop-down this adds an “About” section that also shows the commit if "exposeVersion" is set to true. Fixes #2968	2019-04-15 23:17:34 +00:00
Tristram Gräbener	28a6f505c5	Parameters: the version is exposed in http header only when configured Currently the version is exposed in a 'Server' http headers. This commit allows to parameterize it in the settings. By defaults it is not exposed. Fixes #3423	2019-04-15 23:17:34 +00:00
Tristram Gräbener	8453f07205	Chat bubble: by default hide in CSS The current behaviour is to show the chat bubble and hide if chat is disabled. Because of this, the bubble appears wrongfully for a short time. With this PR, by default it is hidden and displayed only if chat is enabled. Fixes: #3088	2019-04-15 23:14:47 +00:00
muxator	705cc6f5e4	Change everywhere the link to https://etherpad.org (it was plain http)	2019-04-16 00:54:54 +02:00
muxator	75a0f339e1	Settings.js, express.js: trivial reformatting Future commits by Tristram Gräbener will modify them.	2019-04-16 00:17:56 +02:00
muxator	dc7e49f89d	Remove trailing whitespaces Hoping to minimize future diffs. Not touching vendorized libraries.	2019-04-16 00:34:29 +02:00
translatewiki.net	1cb9c3e1ce	Localisation updates from https://translatewiki.net .	2019-04-15 17:36:10 +02:00
translatewiki.net	e3cc21e477	Localisation updates from https://translatewiki.net .	2019-04-08 16:43:29 +02:00
translatewiki.net	ae3ecf54d5	Localisation updates from https://translatewiki.net .	2019-04-04 19:59:52 +02:00
translatewiki.net	dc338c4e48	Localisation updates from https://translatewiki.net .	2019-04-01 20:26:39 +02:00
muxator	cbd393d56b	handler/PadMessageHandler.js: handleMessage() got the wrong padId for read only pads This was almost guaranteed to be broken. Found by the Typescript compiler when doing an experimental conversion.	2019-03-27 18:29:12 +01:00
muxator	c2d8ca212b	utils/Minify.js: always call statFile() with an explicit value for "dirStatLimit" In this way the only external call to statFile() provides an explicit value for "dirStatLimit", and thus the initial check on "undefined" at the start of the function could be removed (just added a comment for now).	2019-03-27 18:29:12 +01:00
muxator	cdd4978973	utils/Minify.js: removed unused parameter "next" in minify() Found by the Typescript compiler when doing an experimental conversion.	2019-03-27 18:29:12 +01:00
muxator	5d067406b1	utils/Minify.js: removed unused parameter "redirectCount" in requestURI() Found by the Typescript compiler when doing an experimental conversion.	2019-03-27 18:29:12 +01:00
muxator	b2d00ae071	db/API.js: customeError -> customError Found by the Typescript compiler when doing an experimental conversion.	2019-03-27 18:29:12 +01:00
muxator	aa5e302d99	db/API.js: missing "let" Found by the Typescript compiler when doing an experimental conversion.	2019-03-27 18:29:12 +01:00
muxator	b9e537ca4f	db/Pad.js: removed unreachable return statement Found by the Typescript compiler when doing an experimental conversion.	2019-03-27 18:29:12 +01:00
muxator	4040813447	db/Pad.js: prototype.copy(), removed redundant callback argument This would cause a crash when calling pad.remove(). Found by the Typescript compiler when doing an experimental conversion.	2019-03-27 18:29:12 +01:00

1 2 3 4 5 ...

3002 commits