| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
archiver@5.2.0, aws-sdk@2.828.0, file-type@16.2.0, prismjs@1.23.0, socket.io-client@2.4.0, bufferutil@4.0.3, utf-8-validate@5.0.4
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |\ |
|
| | |
| |
| |
| | |
Signed-off-by: Philip Molares <philip.molares@udo.edu>
|
| | |
| |
| |
| |
| |
| | |
this was suggested by @TobiasHoll in https://github.com/hackmdio/codimd/issues/1648
Signed-off-by: Philip Molares <philip.molares@udo.edu>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This should prevent the issue mentioned in https://github.com/hackmdio/codimd/issues/1648
Specifically left out are
- dependency (user can't really include anything anyway, because CSP forbids most domains)
- autoSlideMethod (nothing our users should be able to change as they won't write JS to be affected by this)
- keyboard (this let's users write arbitrary code and seems therefore to problematic)
See:
https://github.com/hakimel/reveal.js/blob/3.9.2/README.md#configuration
Signed-off-by: Philip Molares <philip.molares@udo.edu>
|
| |\ \ |
|
| | | |
| | |
| | |
| | | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Use `yaml` for Dockerfiles, `shell` for environment variables and `json` for our config file.
Signed-off-by: David Mehren <git@herrmehren.de>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
This allows indented code blocks in lists
Signed-off-by: David Mehren <git@herrmehren.de>
|
| | |/
| |
| |
| |
| | |
(cherry picked from commit 4559d52d521939739b0d3aad0c84e39d2aa5c960)
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |\ \
| |/
|/| |
fixed last line statusbar cover problem
|
| |/
|
|
|
|
|
|
|
|
| |
can't be moved without changing the note.
Thanks to @mhdrone for reporting this and suggesting the fix
fixes #724
Signed-off-by: Philip Molares <philip.molares@udo.edu>
|
| |
|
|
|
|
|
|
|
|
| |
* Several theme changes
- Add max width of 1440px
- Rename css file
- Fix edit button
- Add local Roboto font
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
|
| |\
| |
| | |
Move docs into subdirectory to make structor work
|
| | |
| |
| |
| | |
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
|
| | |
| |
| |
| | |
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
|
| | |
| |
| |
| | |
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
|
| |/
|
|
| |
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
|
| |\
| |
| | |
Remove IE11 support from README
|
| |/
|
|
|
|
| |
Apparently we have stopped supporting IE11. It shows a syntax error for our JS. I have spent half an hour trying to add IE11 to our Babel config, but that did not resolve the issue. It seems bigger changes to our Webpack config might be necessary to support IE11 again, which I don't think is worthwhile. It's probably reasonable to just remove IE from the list of supported browsers.
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |\ |
|
| | |
| |
| |
| |
| |
| | |
documentation.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
|
| | |
| |
| |
| | |
Signed-off-by: Philip Molares <philip.molares@udo.edu>
|
| | |
| |
| |
| |
| |
| | |
see https://github.com/traefik/structor
Signed-off-by: Philip Molares <philip.molares@udo.edu>
|
| | |
| |
| |
| | |
Signed-off-by: Philip Molares <philip.molares@udo.edu>
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| | |
Signed-off-by: Philip Molares <philip.molares@udo.edu>
|
| | |
| |
| |
| | |
Signed-off-by: Philip Molares <philip.molares@udo.edu>
|
| | |
| |
| |
| |
| | |
Co-authored-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Signed-off-by: Philip Molares <philip.molares@udo.edu>
|
| | |
| |
| |
| |
| |
| |
| | |
currently we don't provide our own and still linking to hackmd/codimd is
not helpful
Signed-off-by: Philip Molares <philip.molares@udo.edu>
|
| | |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| | |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| | |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |\ \
| | |
| | | |
Fix arbitrary file upload
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
This makes sure no unintended files are permanently saved.
Co-authored-by: Yannick Bungers <git@innay.de>
Signed-off-by: David Mehren <git@herrmehren.de>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension.
Signed-off-by: David Mehren <git@herrmehren.de>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch reworks the error messages for image uploads to make more
sense.
Instead of using the current `formidable error` for everything, all
custom error detection now provide the (hopefully) more useful `Image
Upload error` prefix for error messages.
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch fixes the issue of unauthenticated users, being able to
upload files, even when anonymous edits are disabled.
It's implemented by blocking uploads when either `allowAnonymous` is set
to `false` for all unauthenticated users, unless `allowAnonymousEdits`
is set to true, to make sure anonymous editors still experience the full
feature set.
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes a security issue with all existing CodiMD and HedgeDoc
installation which allows arbitary file uploads to instances that expose
the `/uploadimage` API endpoint. With the patch it implies the same
restrictions on the MIME-types as the frontend does. Means only images
are allowed unless configured differently.
This issue was reported by Thomas Lambertz.
To verify if you are vulnerable or not, create two files `test.html` and
`test.png` and try to upload them to your hedgedoc installation.
```
curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage
curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage
```
Note: Not all backends are affected. Imgur and lutim should prevent this
by their own upload API. But S3, minio, filesystem and azure, will be at
risk.
Addition Note: When using filesystem instead of an external uploads
providers, there is a higher risk of code injections as the default CSP
do not block JS from the main domain.
References:
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
|
| |\ \
| | |
| | | |
Don't store mermaid diagrams in innerHTML
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements.
Using `.text()` instead mitigates this issue.
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |\ \ \
| |/ /
|/| | |
update linuxserver docker info
|
| |/ /
| |
| |
| |
| |
| | |
Update badges and info to point to the newly published HedgeDoc image
Signed-off-by: aptalca <aptalca@linuxserver.io>
|
| |\ \
| |/
|/| |
Update configuration.md
|
