| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Philip Molares <philip.molares@udo.edu>
|
|
|
|
|
|
| |
see https://github.com/traefik/structor
Signed-off-by: Philip Molares <philip.molares@udo.edu>
|
|
|
|
| |
Signed-off-by: Philip Molares <philip.molares@udo.edu>
|
|
|
|
| |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|
|
|
| |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|
|
|
| |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\
| |
| | |
Fix arbitrary file upload
|
| |
| |
| |
| |
| |
| |
| | |
This makes sure no unintended files are permanently saved.
Co-authored-by: Yannick Bungers <git@innay.de>
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |
| |
| |
| |
| |
| | |
This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension.
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch reworks the error messages for image uploads to make more
sense.
Instead of using the current `formidable error` for everything, all
custom error detection now provide the (hopefully) more useful `Image
Upload error` prefix for error messages.
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes the issue of unauthenticated users, being able to
upload files, even when anonymous edits are disabled.
It's implemented by blocking uploads when either `allowAnonymous` is set
to `false` for all unauthenticated users, unless `allowAnonymousEdits`
is set to true, to make sure anonymous editors still experience the full
feature set.
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a security issue with all existing CodiMD and HedgeDoc
installation which allows arbitary file uploads to instances that expose
the `/uploadimage` API endpoint. With the patch it implies the same
restrictions on the MIME-types as the frontend does. Means only images
are allowed unless configured differently.
This issue was reported by Thomas Lambertz.
To verify if you are vulnerable or not, create two files `test.html` and
`test.png` and try to upload them to your hedgedoc installation.
```
curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage
curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage
```
Note: Not all backends are affected. Imgur and lutim should prevent this
by their own upload API. But S3, minio, filesystem and azure, will be at
risk.
Addition Note: When using filesystem instead of an external uploads
providers, there is a higher risk of code injections as the default CSP
do not block JS from the main domain.
References:
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
|
|\
| |
| | |
Don't store mermaid diagrams in innerHTML
|
| |
| |
| |
| |
| |
| |
| | |
Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements.
Using `.text()` instead mitigates this issue.
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\ \
| |/
|/| |
update linuxserver docker info
|
|/
|
|
|
|
| |
Update badges and info to point to the newly published HedgeDoc image
Signed-off-by: aptalca <aptalca@linuxserver.io>
|
|\
| |
| | |
Update configuration.md
|
|/
|
|
|
|
| |
Added a more in depth example of how to set CMD_DB_URL or dbUrl
Signed-off-by: Philip Molares <philip.molares@udo.edu>
|
|\ |
|
|/
|
|
| |
Signed-off-by: ericgaspar <junk.eg@free.fr>
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |
| |
| |
| |
| |
| | |
This header needs to be set correctly if the reverse proxy terminates TLS, otherwise we don't send cookies.
Signed-off-by: David Mehren <git@herrmehren.de>
|
|/
|
|
| |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|
|
|
| |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\
| |
| | |
Generate CSS filenames with contenthash
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, .css files always had the same name, which can lead to caching problems.
In our case, the new CSS for the HedgeDoc logo was not loaded when Chrome had the 1.6.0 CSS in the cache, leading the HedgeDoc logo filling the whole screen.
This commit adds the contenthash to the .css files generated by webpack, which ensures that changed files are always loaded.
References:
https://github.com/webpack-contrib/mini-css-extract-plugin#filename
https://webpack.js.org/configuration/output/#outputfilename
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\ \
| | |
| | | |
Fix broken PDF embed in features page & explain embedding problems
|
|/ /
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\|
| |
| | |
Update dependency less to v3.13.1
|
| |
| |
| |
| | |
Signed-off-by: Renovate Bot <bot@renovateapp.com>
|
|\ \
| |/
|/| |
Update dependency copy-webpack-plugin to v6.4.1
|
|/
|
|
| |
Signed-off-by: Renovate Bot <bot@renovateapp.com>
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|/
|
|
|
|
| |
As we found out in #616, Apache does not set the `X-Forwarded-Proto` header, which is now required because we switched to secure cookies in 383d791a50919bb9890a3f3f797ecc95125ab8bf.
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\
| |
| | |
Update dependency less to v3.13.0
|
|/
|
|
| |
Signed-off-by: Renovate Bot <bot@renovateapp.com>
|
|\
| |
| | |
Update dependency copy-webpack-plugin to v6.4.0
|
|/
|
|
| |
Signed-off-by: Renovate Bot <bot@renovateapp.com>
|
|\
| |
| | |
Fix some typos in history.md
|
| | |
|
| |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\ \
| | |
| | | |
Fix crash when OAuth2 config parameters are missing
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If the optional config options `config.oauth2.userProfileIdAttr` or `config.oauth2.rolesClaim` were not set, `String.split` was called on `undefined`, triggering a crash.
This commit adds handling of these cases and improves error logging in `checkAuthorization`.
Fixes #608
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
|