summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #656 from hedgedoc/docs/move-contentYannick Bungers2021-01-0594-56/+83
|\ | | | | Move docs into subdirectory to make structor work
| * Change history linkTilman Vatteroth2021-01-051-1/+1
| | | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
| * Change links in READMETilman Vatteroth2021-01-051-10/+20
| | | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
| * Use svg in readmeTilman Vatteroth2021-01-051-1/+1
| | | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
| * Move docs into subdirectory to make mkdocs work in a subdirectoryTilman Vatteroth2021-01-0594-45/+62
|/ | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
* Merge pull request #655 from hedgedoc/remove-ie11Yannick Bungers2021-01-041-2/+4
|\ | | | | Remove IE11 support from README
| * Remove IE11 support from READMEDavid Mehren2021-01-041-2/+4
|/ | | | | | Apparently we have stopped supporting IE11. It shows a syntax error for our JS. I have spent half an hour trying to add IE11 to our Babel config, but that did not resolve the issue. It seems bigger changes to our Webpack config might be necessary to support IE11 again, which I don't think is worthwhile. It's probably reasonable to just remove IE from the list of supported browsers. Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #650 from hedgedoc/mkdocsDavid Mehren2021-01-048-1/+111
|\
| * added documentation about how the write, build and deploy thisPhilip Molares2021-01-044-2/+32
| | | | | | | | | | | | documentation. Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * removed kubernetes from navigationPhilip Molares2021-01-041-1/+0
| | | | | | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * added all necessary configs to use structorPhilip Molares2021-01-036-9/+42
| | | | | | | | | | | | see https://github.com/traefik/structor Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * started work on a mkdocs documentation for readthedocs.orgPhilip Molares2021-01-033-0/+48
| | | | | | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
* | Merge pull request #646 from hedgedoc/kubernetesDavid Mehren2021-01-042-3/+2
|\ \ | |/ |/|
| * removed kubernetes from READMEPhilip Molares2021-01-041-1/+0
| | | | | | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * remove old documentationPhilip Molares2021-01-031-4/+0
| | | | | | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * Update docs/setup/kubernetes.mdPhilip Molares2021-01-021-1/+1
| | | | | | | | | | Co-authored-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * changed kubernetes setup docPhilip Molares2021-01-021-2/+6
| | | | | | | | | | | | | | currently we don't provide our own and still linking to hackmd/codimd is not helpful Signed-off-by: Philip Molares <philip.molares@udo.edu>
* | Fix typo in release notesDavid Mehren2020-12-271-1/+1
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Bump version to 1.7.1David Mehren2020-12-273-2/+10
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Update yarn.lockDavid Mehren2020-12-271-217/+40
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request from GHSA-wcr3-xhv7-8gxcDavid Mehren2020-12-274-55/+333
|\ \ | | | | | | Fix arbitrary file upload
| * | Always save uploads to a tmpdir first and cleanup afterwardsDavid Mehren2020-12-273-9/+25
| | | | | | | | | | | | | | | | | | | | | This makes sure no unintended files are permanently saved. Co-authored-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <git@herrmehren.de>
| * | Improve MIME-type checks of uploaded filesDavid Mehren2020-12-273-49/+302
| | | | | | | | | | | | | | | | | | This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension. Signed-off-by: David Mehren <git@herrmehren.de>
| * | Rework error messages for image uploadsSheogorath2020-12-271-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch reworks the error messages for image uploads to make more sense. Instead of using the current `formidable error` for everything, all custom error detection now provide the (hopefully) more useful `Image Upload error` prefix for error messages. Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
| * | Fix unauthenticated file uploadsSheogorath2020-12-271-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes the issue of unauthenticated users, being able to upload files, even when anonymous edits are disabled. It's implemented by blocking uploads when either `allowAnonymous` is set to `false` for all unauthenticated users, unless `allowAnonymousEdits` is set to true, to make sure anonymous editors still experience the full feature set. Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
| * | Fix arbitary file upload for uploadimage API endpointSheogorath2020-12-271-2/+8
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a security issue with all existing CodiMD and HedgeDoc installation which allows arbitary file uploads to instances that expose the `/uploadimage` API endpoint. With the patch it implies the same restrictions on the MIME-types as the frontend does. Means only images are allowed unless configured differently. This issue was reported by Thomas Lambertz. To verify if you are vulnerable or not, create two files `test.html` and `test.png` and try to upload them to your hedgedoc installation. ``` curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage ``` Note: Not all backends are affected. Imgur and lutim should prevent this by their own upload API. But S3, minio, filesystem and azure, will be at risk. Addition Note: When using filesystem instead of an external uploads providers, there is a higher risk of code injections as the default CSP do not block JS from the main domain. References: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
* | Merge pull request from GHSA-g6w6-7xf9-m95pDavid Mehren2020-12-271-1/+1
|\ \ | | | | | | Don't store mermaid diagrams in innerHTML
| * | Don't store mermaid diagrams in innerHTMLDavid Mehren2020-12-271-1/+1
| | | | | | | | | | | | | | | | | | | | | Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements. Using `.text()` instead mitigates this issue. Signed-off-by: David Mehren <git@herrmehren.de>
* | | Merge pull request #640 from aptalca/patch-1David Mehren2020-12-271-4/+12
|\ \ \ | |/ / |/| | update linuxserver docker info
| * | update linuxserver docker infoaptalca2020-12-241-4/+12
|/ / | | | | | | | | | | Update badges and info to point to the newly published HedgeDoc image Signed-off-by: aptalca <aptalca@linuxserver.io>
* | Merge pull request #637 from hedgedoc/improveConfigurationDocsYannick Bungers2020-12-221-1/+1
|\ \ | |/ |/| Update configuration.md
| * Update configuration.mdPhilip Molares2020-12-221-1/+1
|/ | | | | | Added a more in depth example of how to set CMD_DB_URL or dbUrl Signed-off-by: Philip Molares <philip.molares@udo.edu>
* Merge pull request #636 from hedgedoc/Set-badge-to-SVGDavid Mehren2020-12-221-1/+1
|\
| * Set Install-with-yunohost bagde to SVGericgaspar2020-12-211-1/+1
|/ | | | Signed-off-by: ericgaspar <junk.eg@free.fr>
* Merge pull request #634 from hedgedoc/release/1.7.0David Mehren2020-12-213-11/+9
|\
| * Bump version to 1.7.0David Mehren2020-12-212-2/+2
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Add note about `X-Forwarded-Proto` to 1.7.0 release notesDavid Mehren2020-12-211-0/+4
| | | | | | | | | | | | This header needs to be set correctly if the reverse proxy terminates TLS, otherwise we don't send cookies. Signed-off-by: David Mehren <git@herrmehren.de>
| * Merge release notes of 1.7.0-rc1 and rc2 into 1.7.0David Mehren2020-12-211-9/+3
|/ | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Update yarn.lockDavid Mehren2020-12-211-125/+57
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #632 from hedgedoc/webpack-css-contenthashDavid Mehren2020-12-211-1/+4
|\ | | | | Generate CSS filenames with contenthash
| * Generate CSS filenames with contenthashDavid Mehren2020-12-211-1/+4
| | | | | | | | | | | | | | | | | | | | | | Previously, .css files always had the same name, which can lead to caching problems. In our case, the new CSS for the HedgeDoc logo was not loaded when Chrome had the 1.6.0 CSS in the cache, leading the HedgeDoc logo filling the whole screen. This commit adds the contenthash to the .css files generated by webpack, which ensures that changed files are always loaded. References: https://github.com/webpack-contrib/mini-css-extract-plugin#filename https://webpack.js.org/configuration/output/#outputfilename Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #633 from hedgedoc/fix-features-pdf-embedDavid Mehren2020-12-211-1/+2
|\ \ | | | | | | Fix broken PDF embed in features page & explain embedding problems
| * | Fix broken PDF embed in features page & explain embedding problemsDavid Mehren2020-12-211-1/+2
|/ / | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #629 from hedgedoc/renovate/less-3.xDavid Mehren2020-12-212-5/+18
|\| | | | | Update dependency less to v3.13.1
| * Update dependency less to v3.13.1Renovate Bot2020-12-182-5/+18
| | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #627 from hedgedoc/renovate/copy-webpack-plugin-6.xDavid Mehren2020-12-212-5/+5
|\ \ | |/ |/| Update dependency copy-webpack-plugin to v6.4.1
| * Update dependency copy-webpack-plugin to v6.4.1Renovate Bot2020-12-162-5/+5
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #625 from hedgedoc/apache-docsYannick Bungers2020-12-131-1/+27
|\
| * Fix typo in reverse proxy docsDavid Mehren2020-12-131-1/+1
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Document reverse proxy config for ApacheDavid Mehren2020-12-131-0/+26
|/ | | | | | As we found out in #616, Apache does not set the `X-Forwarded-Proto` header, which is now required because we switched to secure cookies in 383d791a50919bb9890a3f3f797ecc95125ab8bf. Signed-off-by: David Mehren <git@herrmehren.de>