summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
| * | Fix arbitary file upload for uploadimage API endpointSheogorath2020-12-271-2/+8
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a security issue with all existing CodiMD and HedgeDoc installation which allows arbitary file uploads to instances that expose the `/uploadimage` API endpoint. With the patch it implies the same restrictions on the MIME-types as the frontend does. Means only images are allowed unless configured differently. This issue was reported by Thomas Lambertz. To verify if you are vulnerable or not, create two files `test.html` and `test.png` and try to upload them to your hedgedoc installation. ``` curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage ``` Note: Not all backends are affected. Imgur and lutim should prevent this by their own upload API. But S3, minio, filesystem and azure, will be at risk. Addition Note: When using filesystem instead of an external uploads providers, there is a higher risk of code injections as the default CSP do not block JS from the main domain. References: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
* | Merge pull request from GHSA-g6w6-7xf9-m95pDavid Mehren2020-12-271-1/+1
|\ \ | | | | | | Don't store mermaid diagrams in innerHTML
| * | Don't store mermaid diagrams in innerHTMLDavid Mehren2020-12-271-1/+1
| | | | | | | | | | | | | | | | | | | | | Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements. Using `.text()` instead mitigates this issue. Signed-off-by: David Mehren <git@herrmehren.de>
* | | Merge pull request #640 from aptalca/patch-1David Mehren2020-12-271-4/+12
|\ \ \ | |/ / |/| | update linuxserver docker info
| * | update linuxserver docker infoaptalca2020-12-241-4/+12
|/ / | | | | | | | | | | Update badges and info to point to the newly published HedgeDoc image Signed-off-by: aptalca <aptalca@linuxserver.io>
* | Merge pull request #637 from hedgedoc/improveConfigurationDocsYannick Bungers2020-12-221-1/+1
|\ \ | |/ |/| Update configuration.md
| * Update configuration.mdPhilip Molares2020-12-221-1/+1
|/ | | | | | Added a more in depth example of how to set CMD_DB_URL or dbUrl Signed-off-by: Philip Molares <philip.molares@udo.edu>
* Merge pull request #636 from hedgedoc/Set-badge-to-SVGDavid Mehren2020-12-221-1/+1
|\
| * Set Install-with-yunohost bagde to SVGericgaspar2020-12-211-1/+1
|/ | | | Signed-off-by: ericgaspar <junk.eg@free.fr>
* Merge pull request #634 from hedgedoc/release/1.7.0David Mehren2020-12-213-11/+9
|\
| * Bump version to 1.7.0David Mehren2020-12-212-2/+2
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Add note about `X-Forwarded-Proto` to 1.7.0 release notesDavid Mehren2020-12-211-0/+4
| | | | | | | | | | | | This header needs to be set correctly if the reverse proxy terminates TLS, otherwise we don't send cookies. Signed-off-by: David Mehren <git@herrmehren.de>
| * Merge release notes of 1.7.0-rc1 and rc2 into 1.7.0David Mehren2020-12-211-9/+3
|/ | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Update yarn.lockDavid Mehren2020-12-211-125/+57
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #632 from hedgedoc/webpack-css-contenthashDavid Mehren2020-12-211-1/+4
|\ | | | | Generate CSS filenames with contenthash
| * Generate CSS filenames with contenthashDavid Mehren2020-12-211-1/+4
| | | | | | | | | | | | | | | | | | | | | | Previously, .css files always had the same name, which can lead to caching problems. In our case, the new CSS for the HedgeDoc logo was not loaded when Chrome had the 1.6.0 CSS in the cache, leading the HedgeDoc logo filling the whole screen. This commit adds the contenthash to the .css files generated by webpack, which ensures that changed files are always loaded. References: https://github.com/webpack-contrib/mini-css-extract-plugin#filename https://webpack.js.org/configuration/output/#outputfilename Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #633 from hedgedoc/fix-features-pdf-embedDavid Mehren2020-12-211-1/+2
|\ \ | | | | | | Fix broken PDF embed in features page & explain embedding problems
| * | Fix broken PDF embed in features page & explain embedding problemsDavid Mehren2020-12-211-1/+2
|/ / | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #629 from hedgedoc/renovate/less-3.xDavid Mehren2020-12-212-5/+18
|\| | | | | Update dependency less to v3.13.1
| * Update dependency less to v3.13.1Renovate Bot2020-12-182-5/+18
| | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #627 from hedgedoc/renovate/copy-webpack-plugin-6.xDavid Mehren2020-12-212-5/+5
|\ \ | |/ |/| Update dependency copy-webpack-plugin to v6.4.1
| * Update dependency copy-webpack-plugin to v6.4.1Renovate Bot2020-12-162-5/+5
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #625 from hedgedoc/apache-docsYannick Bungers2020-12-131-1/+27
|\
| * Fix typo in reverse proxy docsDavid Mehren2020-12-131-1/+1
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Document reverse proxy config for ApacheDavid Mehren2020-12-131-0/+26
|/ | | | | | As we found out in #616, Apache does not set the `X-Forwarded-Proto` header, which is now required because we switched to secure cookies in 383d791a50919bb9890a3f3f797ecc95125ab8bf. Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #622 from hedgedoc/renovate/less-3.xDavid Mehren2020-12-132-5/+5
|\ | | | | Update dependency less to v3.13.0
| * Update dependency less to v3.13.0Renovate Bot2020-12-122-5/+5
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #619 from hedgedoc/renovate/copy-webpack-plugin-6.xDavid Mehren2020-12-112-5/+5
|\ | | | | Update dependency copy-webpack-plugin to v6.4.0
| * Update dependency copy-webpack-plugin to v6.4.0Renovate Bot2020-12-072-5/+5
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #613 from nidico/patch-1David Mehren2020-12-031-3/+3
|\ | | | | Fix some typos in history.md
| * Fix some typos in history.mdNicolas Dietrich2020-12-011-3/+3
| |
* | Release 1.7.0-rc2David Mehren2020-12-023-2/+10
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Update yarn.lockDavid Mehren2020-12-021-3/+3
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #609 from hedgedoc/fix/oauth2-authDavid Mehren2020-12-021-12/+19
|\ \ | | | | | | Fix crash when OAuth2 config parameters are missing
| * | Fix crash when OAuth2 config parameters are missingDavid Mehren2020-11-301-12/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the optional config options `config.oauth2.userProfileIdAttr` or `config.oauth2.rolesClaim` were not set, `String.split` was called on `undefined`, triggering a crash. This commit adds handling of these cases and improves error logging in `checkAuthorization`. Fixes #608 Signed-off-by: David Mehren <git@herrmehren.de>
* | | Merge pull request #610 from hedgedoc/fix/migration-error-messageDavid Mehren2020-12-0210-9/+33
|\ \ \
| * | | Add missing catchTilman Vatteroth2020-12-021-1/+2
| | | | | | | | | | | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
| * | | Catch more errorsTilman Vatteroth2020-12-029-10/+31
| | | | | | | | | | | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
| * | | [Migrations] Replace similar codeTilman Vatteroth2020-11-301-2/+1
| | | | | | | | | | | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
| * | | [Migrations] Add variant of error message to catch blockTilman Vatteroth2020-11-301-1/+4
| |/ / | | | | | | | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
* | | Merge pull request #614 from hedgedoc/update-pr-template-labelsDavid Mehren2020-12-024-4/+4
|\ \ \ | | | | | | | | Update issue templates to use the new labels
| * | | Update issue templates to use the new labelsDavid Mehren2020-12-014-4/+4
|/ / / | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | | Merge pull request #605 from hedgedoc/YunoHost-link-updateDavid Mehren2020-12-011-2/+2
|\ \ \ | |_|/ |/| | Update yunohost.md
| * | Update yunohost.mdericgaspar2020-11-301-2/+2
| |/ | | | | | | | | | | | | | | Signed-off-by: ericgaspar <junk.eg@free.fr> Upgrade YunoHost doc link Signed-off-by: ericgaspar <junk.eg@free.fr>
* | Merge pull request #611 from hedgedoc/fix/renovate-labelDavid Mehren2020-11-301-1/+1
|\ \ | |/ |/| Change label used by renovate to "type: maintenance"
| * Change label used by renovate to "type: maintenance"Tilman Vatteroth2020-11-301-1/+1
|/ | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
* Merge pull request #401 from hedgedoc/wip_release/1.6.1David Mehren2020-11-294-242/+149
|\
| * Changelog for 1.7.0-rc1David Mehren2020-11-291-0/+86
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Bump Version to 1.7.0-rc1David Mehren2020-11-292-2/+2
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Update yarn.lockDavid Mehren2020-11-291-240/+61
|/ | | | Signed-off-by: David Mehren <git@herrmehren.de>