| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Matthias Lindinger <m.lindinger@live.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As a temporary fix, to keep you and your users save, this patch disables
the PDF export feature. Details of the attack along with a fix for
future versions of CodiMD will be released in future.
I hope you can live with this solution for this release because I'm
super short on time and the alternative would be to ship no fix at all.
This appears to be the better solution for this release.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
|
|
|
| |
It seems like since we switched to camelcase we missed to update some
variable names in the config section. This patch fixes those.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
| |
Signed-off-by: chandi <git@chandi.it>
|
| |\
| |
| | |
Respect DNT header
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Do Not Track (DNT) is an old web standard in order to notify pages that
the user doesn't want to be tracked. Even while a lot of pages either
ignore this header or even worse, use it for tracking purposes, the
orignal intention of this header is good and should be adopted.
This patch implements a respect of the DNT header by no longer including
the optional Google Analytics and disqus integrations when sending a DNT
header. This should reduce outside resource usage and help to stay more
private.
This should later-on extended towards other document content (i.e.
iframe based content).
The reason to not change the CDN handling is that CDNs will be
deprecated with next release and removed in long term.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |\ \
| | |
| | | |
DB URL: Secret File Support
|
| | | |
| | |
| | |
| | |
| | |
| | | |
As the connection string may include a password it should be supported by Docker Secrets.
Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
|
| |\ \ \
| |/ /
|/| | |
Add SVG image detection based on file extension
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add simple SVG image detecetion base on the file extension .svg.
This fixes the SVG being delivered as binary/octet-stream and makes it possible to embedd the SVG.
Signed-off-by: Lennart Weller <lennart.weller@hansemerkur.de>
|
| |/ /
| |
| |
| | |
Signed-off-by: BoHong Li <a60814billy@gmail.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have various places with overly simple if statements that could be
handled by our logging library. Also a lot of those logs are not marked
as debug logs but as info logs, which can cause confusion during
debugging.
This patch removed unneeded if clauses around debug logging statements,
reworks debug log messages towards ECMA templates and add some new
logging statements which might be helpful in order to debug things like
image uploads.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since we are about to release it's time to finally fix our linting. This
patch basically runs eslint --fix and does some further manual fixes.
Also it sets up eslint to fail on every warning on order to make
warnings visable in the CI process.
There should no functional change be introduced.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |\
| |
| | |
Fix missing pictures for OpenID
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently a problem appears when using OpenID for authentication as
there is no method to add a profile picture right now.
This patch makes sure that all undefined login methods get a profile
picture.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |/
|
|
|
|
|
|
|
|
| |
With very low CPU frequency or bad IO situation, as well as not-loaded
JS CodiMD happens to present unneeded "I'm busy"-messages to users.
This patch allows to configure the lag. The default is taken from the
libray but set in our own default configs.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
| |
Signed-off-by: Claudius <opensource@amenthes.de>
|
| |
|
|
| |
Signed-off-by: Claudius <opensource@amenthes.de>
|
| |
|
|
| |
Signed-off-by: Claudius <opensource@amenthes.de>
|
| |
|
|
| |
Signed-off-by: Dylan Dervaux <dylanderv05@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
disableRequestedAuthnContext: true|false
By default only Password authmethod is accepted, this option allows any other method.
Issue and option described here:
https://github.com/bergie/passport-saml/issues/226
Signed-off-by: Emmanuel Ormancey <emmanuel.ormancey@cern.ch>
|
| |
|
|
| |
Signed-off-by: Thor77 <thor77@thor77.org>
|
| |
|
|
|
|
|
|
|
|
| |
Add "both" mode to URLs because I assume most people want to straight away see the code when they click the "edit" button in a published note.
Fixes https://github.com/codimd/server/issues/27
Not tested, followed instructions from @ccoenen , please do review! :)
Signed-off-by: Stéphane Guillou <stephane.guillou@member.fsf.org>
|
| |\
| |
| | |
Use libravatar as drop-in replacement for gravatar
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since libravatar got a default fallback to Gravatar and in generell
allows federated image hosting for avatars this shouldn't break any
existing implementations.
The federation functionality is not added yet. This would require to use
the libravatar library.
Details:
https://wiki.libravatar.org/api/
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
After a long discussion, it turned out that CodiMD as community project
and HackMD as a company, have fundamental different views on the project
governance.
Due to this, it came to point where the decision for a fork was made.
After the fork and move towards an own organisation, this patch updates
all links inside the project to the new repositories.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |\
| |
| | |
Fix shown but broken GitLab snippets
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To provide a GitLab integration we need the GitLab integration to be
configured. Otherwise we shouldn't show the Snippet button.
This patch adds the requirement to the variable that decides if the
import from snippets button shows up or not.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |/
|
|
|
|
|
|
|
|
|
| |
Since Google+ is shutting down soon, we need to get the profile data
from another URL. Since the library already supports it, all we need to
do is adding a single line of code.
Details:
https://github.com/hackmdio/codimd/issues/1160
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |\
| |
| | |
Fix empty serverURL did not redirect properly
|
| | |
| |
| |
| | |
Signed-off-by: toshi0123 <7948737+toshi0123@users.noreply.github.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Seem like also environment variables are affected. This patch fixes that
as well.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |/
|
|
|
|
|
|
| |
Seems like there is a possible problem when a name containing a space is
passed to this function. using urlencode on the name should fix possible
problems here.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
|
|
|
|
|
| |
We talked about that during a community call. It turned out that not
everyone likes to have OpenID on their instance.
This patch disables OpenID by default.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We used `fs.unlink()` to remove the pdf file after we send it out to the
client. This breaks in Node 10, when no function as second parameter is
supplied.
This patches changes it to the `fs.unlinkSync` function that doesn't
have this requirement and this way doesn't crash.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
| |
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
|
| |\
| |
| | |
Fix broken Gist embedding
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Looks like GitHub changed their asset system and our CSP prevented them
from getting loaded.
This patch should fix the Gist embedding with enabled CSP by replacing
the old URL `https://assets-cdn.github.com` with the new
`https://github.githubassets.com`.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| | |
| |
| |
| |
| |
| | |
Fixes #1107.
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
|
| |\ \
| | |
| | | |
Fix usage of new URL API
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Due to the deprecation of the old `url`-API provided by NodeJS we
replaced `url.resolve` with `url.URL.resolve`, which doesn't exist.
This patch fixes the local filesystem upload of CodiMD by using the new
API correctly. Creating an URL object and using its href.
Some more background:
https://nodejs.org/api/url.html#url_url_href
https://nodejs.org/api/url.html#url_url_resolve_from_to
Fixes https://github.com/hackmdio/codimd/issues/1102
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |\ \
| | |
| | | |
Fix CSP for speaker notes
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Looks like I was wrong in my previous commit to update revealjs.[1]
The speaker notes broke again with the CSPs. So this patch updates the
hash and this way the speaker notes.
[1]: bcebf1e8d285184f8c905f00e0270621790e7b80
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
Disqus loads it's embed config.js from its root domain
(https://disqus.com). Our CSPs only allow subdomains (e.g.:
https://codimd.disqus.com). This causes the disqus embedding to fail.
This patch should fix this problem by adding https://disqus.com to the
CSP setting. From a security perspective there is no real change. Since
still the same parties are involved.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |\
| |
| | |
Warn on missing serverURL
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We see some issues that are based on not properly configured
`config.serverURL`.
This patch adds a warning when `config.serverURL` is an empty value.
This should provide users direct feedback about how to improve their
configs.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |\ \
| |/
|/|
| |
| |
| |
| | |
Fix wrong config options
In `./lib/web/auth/` some config includes still used `config.serverurl` instead of the correct `config.serverURL`. This causes wrong URL in worst case.
This patch should fix those problems and migrate the wrong statements to camelcase.
|
| | |
| |
| |
| | |
Signed-off-by: CloudYu <cloudyu322@gmail.com>
|
| |/
|
|
|
|
|
|
|
| |
This commit also refactors the code a bit, and adds a '-' separator
between a filename and its duplicate index.
This commit fixes #1079.
Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Since our previous scrypt library is unmaintained since 3 years, it's
time to look for an alternative.
A refactoring towards another password algorithm was worked on and this
is probably still the way to go. But for now the successor of our
previous library should already be enough.
https://www.npmjs.com/package/scrypt (old library)
https://github.com/ml1nk/node-scrypt (new library)
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
