| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes a security issue with all existing CodiMD and HedgeDoc
installation which allows arbitary file uploads to instances that expose
the `/uploadimage` API endpoint. With the patch it implies the same
restrictions on the MIME-types as the frontend does. Means only images
are allowed unless configured differently.
This issue was reported by Thomas Lambertz.
To verify if you are vulnerable or not, create two files `test.html` and
`test.png` and try to upload them to your hedgedoc installation.
```
curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage
curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage
```
Note: Not all backends are affected. Imgur and lutim should prevent this
by their own upload API. But S3, minio, filesystem and azure, will be at
risk.
Addition Note: When using filesystem instead of an external uploads
providers, there is a higher risk of code injections as the default CSP
do not block JS from the main domain.
References:
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc
Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
|
|\ \
| | |
| | | |
Don't store mermaid diagrams in innerHTML
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements.
Using `.text()` instead mitigates this issue.
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\ \ \
| |/ /
|/| | |
update linuxserver docker info
|
|/ /
| |
| |
| |
| |
| | |
Update badges and info to point to the newly published HedgeDoc image
Signed-off-by: aptalca <aptalca@linuxserver.io>
|
|\ \
| |/
|/| |
Update configuration.md
|
|/
|
|
|
|
| |
Added a more in depth example of how to set CMD_DB_URL or dbUrl
Signed-off-by: Philip Molares <philip.molares@udo.edu>
|
|\ |
|
|/
|
|
| |
Signed-off-by: ericgaspar <junk.eg@free.fr>
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |
| |
| |
| |
| |
| | |
This header needs to be set correctly if the reverse proxy terminates TLS, otherwise we don't send cookies.
Signed-off-by: David Mehren <git@herrmehren.de>
|
|/
|
|
| |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|
|
|
| |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\
| |
| | |
Generate CSS filenames with contenthash
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, .css files always had the same name, which can lead to caching problems.
In our case, the new CSS for the HedgeDoc logo was not loaded when Chrome had the 1.6.0 CSS in the cache, leading the HedgeDoc logo filling the whole screen.
This commit adds the contenthash to the .css files generated by webpack, which ensures that changed files are always loaded.
References:
https://github.com/webpack-contrib/mini-css-extract-plugin#filename
https://webpack.js.org/configuration/output/#outputfilename
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\ \
| | |
| | | |
Fix broken PDF embed in features page & explain embedding problems
|
|/ /
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\|
| |
| | |
Update dependency less to v3.13.1
|
| |
| |
| |
| | |
Signed-off-by: Renovate Bot <bot@renovateapp.com>
|
|\ \
| |/
|/| |
Update dependency copy-webpack-plugin to v6.4.1
|
|/
|
|
| |
Signed-off-by: Renovate Bot <bot@renovateapp.com>
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|/
|
|
|
|
| |
As we found out in #616, Apache does not set the `X-Forwarded-Proto` header, which is now required because we switched to secure cookies in 383d791a50919bb9890a3f3f797ecc95125ab8bf.
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\
| |
| | |
Update dependency less to v3.13.0
|
|/
|
|
| |
Signed-off-by: Renovate Bot <bot@renovateapp.com>
|
|\
| |
| | |
Update dependency copy-webpack-plugin to v6.4.0
|
|/
|
|
| |
Signed-off-by: Renovate Bot <bot@renovateapp.com>
|
|\
| |
| | |
Fix some typos in history.md
|
| | |
|
| |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\ \
| | |
| | | |
Fix crash when OAuth2 config parameters are missing
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If the optional config options `config.oauth2.userProfileIdAttr` or `config.oauth2.rolesClaim` were not set, `String.split` was called on `undefined`, triggering a crash.
This commit adds handling of these cases and improves error logging in `checkAuthorization`.
Fixes #608
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
|
| |/ /
| | |
| | |
| | | |
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
|
|\ \ \
| | | |
| | | | |
Update issue templates to use the new labels
|
|/ / /
| | |
| | |
| | | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|\ \ \
| |_|/
|/| | |
Update yunohost.md
|
| |/
| |
| |
| |
| |
| |
| |
| | |
Signed-off-by: ericgaspar <junk.eg@free.fr>
Upgrade YunoHost doc link
Signed-off-by: ericgaspar <junk.eg@free.fr>
|
|\ \
| |/
|/| |
Change label used by renovate to "type: maintenance"
|
|/
|
|
| |
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
| |
| |
| |
| | |
Signed-off-by: David Mehren <git@herrmehren.de>
|
|/
|
|
| |
Signed-off-by: David Mehren <git@herrmehren.de>
|