| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
There was recently a possible security problem with base64url. Shouldn't
really hit us but it doesn't hurt.
Details: https://snyk.io/vuln/npm:base64url:20180511
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\
| |
| | |
Revert "Workaround Google API problems"
|
|/ |
|
|\
| |
| | |
Workaround Google API problems
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This temporarily removes the Upload from the UI as it's broken right
now.
Needs a refactoring and can be added in again later on by undoing this
commit.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As recently discovered we send the clientSecret to the webclient which
is potentionally dangerous. This patch should fix the problem and
replace the clientSecret with the originally intended and correct way to
implement it using the API key.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| | |
| | | |
Fix typo of "grouptAttribute" in saml auth module
|
|/ /
| |
| | |
Signed-off-by: Max Wu <jackymaxj@gmail.com>
|
|\ \
| | |
| | | |
Move letter-avatars into own request
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To prevent further weakening of our CSP policies, moving the Avatars
into a non-inline version is the way to go.
This implementation probably needs some beautification. But already fixes
the bug.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
| |
| |
| | |
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| | |
| | | |
Fix possible file limit errors
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As we currently may need higher nofile limits than usual/default on
various systems this commit should probide a fix for that an allow to
build HackMD without highering these limits and increase security.
Inspiration was found in a copy-webpack-plugin-issue[1] and found by
@thegcat[2]. Thanks for that!
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
[1]:
https://github.com/webpack-contrib/copy-webpack-plugin/issues/59#issuecomment-228563990
[2]: https://github.com/thegcat
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit extends the find command to also match the example config
file.
This should validate the syntax or this file to prevent syntax errors
for future pull request.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit fixes some json fromat issues in our config example that
causes errors on setup.
This change should fix it.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| | |
| | | |
Add check for noteId length
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
As we know the length of an UUID we can check if the base64 string
of the provided UUID is long enough for a legacy base64 encoded nodeId
and stop processing it in legacy mode, if it's not the case.
This should make the ugly warning way less common.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \ \
| |_|/
|/| | |
Fix typos for `allowAnonymousEdits`
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
Looks like we lost some variables during the refactoring of the configs
to camel case.
This should fix it.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|/
|
|
|
|
|
| |
Add hint about file descriptor limits and add the new translation
platform.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|
|
|
| |
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
Fix some spelling and style issues as well as adding the
latest changes.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
| |
| |
| |
| |
| |
| | |
As it was requested to be more visable, this commit adds a migration
section about the introduced config style changes.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
| |
| |
| |
| |
| | |
Providing release notes for version 1.1.0-ce
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| | |
Adding some documentation for night mode and upload times. Extend the
contact section for community support.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| | |
| | | |
Add matrix.org / Riot link
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As an active part of the community prefers Matrix.org over Gitter, we
should link Matrix.org as a place to meet us.
As the matrix and gitter channels are interconnected. We don't loose any
message if a person decides to go for one or another.
We use an more universal way of translation to make it easier to provide
a link to various platforms.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| | |
| | | |
Fix modal and panel colors in night mode
|
| | |
| | |
| | |
| | |
| | |
| | | |
This provides more eye-friendly code boxes when night mode is active.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |/
| |
| |
| |
| |
| |
| |
| | |
Night mode provides a generally, dark interface. This fix provides the
needed CSS to also turn modal and panels into night mode design as well.
This mainly effects the help modal.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| | |
| | | |
Fix CSP for disqus and Google Analytics
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit should fix existing problems with Disqus and Google
Analytics enabled in the meta-yaml section of a note.
Before this commit they were blocked by the strict CSP. It's still
possible to disable the added directives using `addDisqus` and
`addGoogleAnalytics` in the `csp` config section.
They are enabled by default to prevent breaking changes.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| |/
|/| |
Add session data to env vars
|
|/
|
|
|
|
|
|
|
|
|
| |
Currently the session secret can only be set by config.json or docker
secrets. This creates a problem on Heroku hosted instances that can not
set a session secret.
Since we automatically generate them on startup this results in an
logout of all users on every config change in Heroku.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\
| |
| | |
Automatically generate a session secret if default is used
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The session secret is used to sign and authenticate the session cookie
and this way very important for the authentication process.
By default the session secret is set to `secret` and never changes. This
commit will add a generator for a dynamic session secret if it stays
unchanged.
It prevents session hijacking this way and will warn the user about
the missing secret.
This also implies that on a restart without configured session secret
will log out all users. While it may seems annoying, it's for the users
best.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| | |
| | | |
Fix some issues with legacy config compatiblity
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We should check for an undefined and not just for a logical true or
false.
Example: When `usecdn` was set to false it was impossible to overwrite
the new config value because the if statement becomes false.
Thanks @davidmehren for pointing me to this issue.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| | |
| | |
| | |
| | |
| | |
| | | |
Looks like we forgot something during the migration. This should fix it.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \ \
| | | |
| | | | |
Add documentation for setting up authentication with a self-hosted GitLab
|
|/ / /
| | |
| | |
| | | |
Signed-off-by: mcnesium <git@mcnesium.com>
|
|\ \ \
| |/ /
|/| | |
Allow embedding of video and audio tags
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Adding mediaSrc to CSP so video and audio files can be embedded without
problems.
From a security perspective it should be fine to load audio and video
data without introducing a high security issue. Only from a privacy
perspective it allows another way to track users if there are data
embedded. But it doesn't introduce any new attack vector as pictures are
also allowed from everywhere.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| |/
|/| |
Fix night mode button after restore
|
|/
|
|
|
|
|
|
|
|
|
| |
The night mode toggle doesn't get the right state after restore from
local storage. This results in the need to toggle twice to disable night
mode.
This patch adds the needed class so the toggleNightMode function gets
the right state on execution.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\
| |
| | |
Change config to camel case with backwards compatibility
|
| |
| |
| |
| |
| |
| |
| |
| | |
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
|\ \
| |/
|/| |
Persist nightmode so we can re-enable it on reload
|