summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* started work on a mkdocs documentation for readthedocs.orgPhilip Molares2021-01-033-0/+48
| | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
* Fix typo in release notesDavid Mehren2020-12-271-1/+1
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Bump version to 1.7.1David Mehren2020-12-273-2/+10
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Update yarn.lockDavid Mehren2020-12-271-217/+40
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request from GHSA-wcr3-xhv7-8gxcDavid Mehren2020-12-274-55/+333
|\ | | | | Fix arbitrary file upload
| * Always save uploads to a tmpdir first and cleanup afterwardsDavid Mehren2020-12-273-9/+25
| | | | | | | | | | | | | | This makes sure no unintended files are permanently saved. Co-authored-by: Yannick Bungers <git@innay.de> Signed-off-by: David Mehren <git@herrmehren.de>
| * Improve MIME-type checks of uploaded filesDavid Mehren2020-12-273-49/+302
| | | | | | | | | | | | This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension. Signed-off-by: David Mehren <git@herrmehren.de>
| * Rework error messages for image uploadsSheogorath2020-12-271-4/+4
| | | | | | | | | | | | | | | | | | | | | | This patch reworks the error messages for image uploads to make more sense. Instead of using the current `formidable error` for everything, all custom error detection now provide the (hopefully) more useful `Image Upload error` prefix for error messages. Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
| * Fix unauthenticated file uploadsSheogorath2020-12-271-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | This patch fixes the issue of unauthenticated users, being able to upload files, even when anonymous edits are disabled. It's implemented by blocking uploads when either `allowAnonymous` is set to `false` for all unauthenticated users, unless `allowAnonymousEdits` is set to true, to make sure anonymous editors still experience the full feature set. Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
| * Fix arbitary file upload for uploadimage API endpointSheogorath2020-12-271-2/+8
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a security issue with all existing CodiMD and HedgeDoc installation which allows arbitary file uploads to instances that expose the `/uploadimage` API endpoint. With the patch it implies the same restrictions on the MIME-types as the frontend does. Means only images are allowed unless configured differently. This issue was reported by Thomas Lambertz. To verify if you are vulnerable or not, create two files `test.html` and `test.png` and try to upload them to your hedgedoc installation. ``` curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage ``` Note: Not all backends are affected. Imgur and lutim should prevent this by their own upload API. But S3, minio, filesystem and azure, will be at risk. Addition Note: When using filesystem instead of an external uploads providers, there is a higher risk of code injections as the default CSP do not block JS from the main domain. References: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
* Merge pull request from GHSA-g6w6-7xf9-m95pDavid Mehren2020-12-271-1/+1
|\ | | | | Don't store mermaid diagrams in innerHTML
| * Don't store mermaid diagrams in innerHTMLDavid Mehren2020-12-271-1/+1
| | | | | | | | | | | | | | Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements. Using `.text()` instead mitigates this issue. Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #640 from aptalca/patch-1David Mehren2020-12-271-4/+12
|\ \ | |/ |/| update linuxserver docker info
| * update linuxserver docker infoaptalca2020-12-241-4/+12
|/ | | | | | Update badges and info to point to the newly published HedgeDoc image Signed-off-by: aptalca <aptalca@linuxserver.io>
* Merge pull request #637 from hedgedoc/improveConfigurationDocsYannick Bungers2020-12-221-1/+1
|\ | | | | Update configuration.md
| * Update configuration.mdPhilip Molares2020-12-221-1/+1
|/ | | | | | Added a more in depth example of how to set CMD_DB_URL or dbUrl Signed-off-by: Philip Molares <philip.molares@udo.edu>
* Merge pull request #636 from hedgedoc/Set-badge-to-SVGDavid Mehren2020-12-221-1/+1
|\
| * Set Install-with-yunohost bagde to SVGericgaspar2020-12-211-1/+1
|/ | | | Signed-off-by: ericgaspar <junk.eg@free.fr>
* Merge pull request #634 from hedgedoc/release/1.7.0David Mehren2020-12-213-11/+9
|\
| * Bump version to 1.7.0David Mehren2020-12-212-2/+2
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Add note about `X-Forwarded-Proto` to 1.7.0 release notesDavid Mehren2020-12-211-0/+4
| | | | | | | | | | | | This header needs to be set correctly if the reverse proxy terminates TLS, otherwise we don't send cookies. Signed-off-by: David Mehren <git@herrmehren.de>
| * Merge release notes of 1.7.0-rc1 and rc2 into 1.7.0David Mehren2020-12-211-9/+3
|/ | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Update yarn.lockDavid Mehren2020-12-211-125/+57
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #632 from hedgedoc/webpack-css-contenthashDavid Mehren2020-12-211-1/+4
|\ | | | | Generate CSS filenames with contenthash
| * Generate CSS filenames with contenthashDavid Mehren2020-12-211-1/+4
| | | | | | | | | | | | | | | | | | | | | | Previously, .css files always had the same name, which can lead to caching problems. In our case, the new CSS for the HedgeDoc logo was not loaded when Chrome had the 1.6.0 CSS in the cache, leading the HedgeDoc logo filling the whole screen. This commit adds the contenthash to the .css files generated by webpack, which ensures that changed files are always loaded. References: https://github.com/webpack-contrib/mini-css-extract-plugin#filename https://webpack.js.org/configuration/output/#outputfilename Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #633 from hedgedoc/fix-features-pdf-embedDavid Mehren2020-12-211-1/+2
|\ \ | | | | | | Fix broken PDF embed in features page & explain embedding problems
| * | Fix broken PDF embed in features page & explain embedding problemsDavid Mehren2020-12-211-1/+2
|/ / | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #629 from hedgedoc/renovate/less-3.xDavid Mehren2020-12-212-5/+18
|\| | | | | Update dependency less to v3.13.1
| * Update dependency less to v3.13.1Renovate Bot2020-12-182-5/+18
| | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #627 from hedgedoc/renovate/copy-webpack-plugin-6.xDavid Mehren2020-12-212-5/+5
|\ \ | |/ |/| Update dependency copy-webpack-plugin to v6.4.1
| * Update dependency copy-webpack-plugin to v6.4.1Renovate Bot2020-12-162-5/+5
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #625 from hedgedoc/apache-docsYannick Bungers2020-12-131-1/+27
|\
| * Fix typo in reverse proxy docsDavid Mehren2020-12-131-1/+1
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Document reverse proxy config for ApacheDavid Mehren2020-12-131-0/+26
|/ | | | | | As we found out in #616, Apache does not set the `X-Forwarded-Proto` header, which is now required because we switched to secure cookies in 383d791a50919bb9890a3f3f797ecc95125ab8bf. Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #622 from hedgedoc/renovate/less-3.xDavid Mehren2020-12-132-5/+5
|\ | | | | Update dependency less to v3.13.0
| * Update dependency less to v3.13.0Renovate Bot2020-12-122-5/+5
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #619 from hedgedoc/renovate/copy-webpack-plugin-6.xDavid Mehren2020-12-112-5/+5
|\ | | | | Update dependency copy-webpack-plugin to v6.4.0
| * Update dependency copy-webpack-plugin to v6.4.0Renovate Bot2020-12-072-5/+5
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #613 from nidico/patch-1David Mehren2020-12-031-3/+3
|\ | | | | Fix some typos in history.md
| * Fix some typos in history.mdNicolas Dietrich2020-12-011-3/+3
| |
* | Release 1.7.0-rc2David Mehren2020-12-023-2/+10
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Update yarn.lockDavid Mehren2020-12-021-3/+3
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #609 from hedgedoc/fix/oauth2-authDavid Mehren2020-12-021-12/+19
|\ \ | | | | | | Fix crash when OAuth2 config parameters are missing
| * | Fix crash when OAuth2 config parameters are missingDavid Mehren2020-11-301-12/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the optional config options `config.oauth2.userProfileIdAttr` or `config.oauth2.rolesClaim` were not set, `String.split` was called on `undefined`, triggering a crash. This commit adds handling of these cases and improves error logging in `checkAuthorization`. Fixes #608 Signed-off-by: David Mehren <git@herrmehren.de>
* | | Merge pull request #610 from hedgedoc/fix/migration-error-messageDavid Mehren2020-12-0210-9/+33
|\ \ \
| * | | Add missing catchTilman Vatteroth2020-12-021-1/+2
| | | | | | | | | | | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
| * | | Catch more errorsTilman Vatteroth2020-12-029-10/+31
| | | | | | | | | | | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
| * | | [Migrations] Replace similar codeTilman Vatteroth2020-11-301-2/+1
| | | | | | | | | | | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
| * | | [Migrations] Add variant of error message to catch blockTilman Vatteroth2020-11-301-1/+4
| |/ / | | | | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
* | | Merge pull request #614 from hedgedoc/update-pr-template-labelsDavid Mehren2020-12-024-4/+4
|\ \ \ | | | | | | | | Update issue templates to use the new labels