Commit graph

2781 commits

Author SHA1 Message Date
Philip Molares
1546786c63 changed the SCRIPT_END_PLACEHOLDER regex to case insensitive
this was suggested by @TobiasHoll in https://github.com/hackmdio/codimd/issues/1648

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-14 11:35:17 +01:00
Philip Molares
35b0d39a12 added sanitation to the slideMode in frontmatter
This should prevent the issue mentioned in https://github.com/hackmdio/codimd/issues/1648

Specifically left out are
- dependency (user can't really include anything anyway, because CSP forbids most domains)
- autoSlideMethod (nothing our users should be able to change as they won't write JS to be affected by this)
- keyboard (this let's users write arbitrary code and seems therefore to problematic)

See:
https://github.com/hakimel/reveal.js/blob/3.9.2/README.md#configuration
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-14 11:18:09 +01:00
Tilman Vatteroth
5bdb392413
Several theme changes (#659)
* Several theme changes

- Add max width of 1440px
- Rename css file
- Fix edit button
- Add local Roboto font

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2021-01-05 22:55:00 +01:00
Yannick Bungers
73d237165e
Merge pull request #656 from hedgedoc/docs/move-content
Move docs into subdirectory to make structor work
2021-01-05 17:27:24 +01:00
Tilman Vatteroth
d39c7deb32
Change history link
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2021-01-05 17:18:45 +01:00
Tilman Vatteroth
929a27d393
Change links in README
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2021-01-05 17:13:44 +01:00
Tilman Vatteroth
bcc99f7979
Use svg in readme
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2021-01-05 17:04:41 +01:00
Tilman Vatteroth
eaeb88401d
Move docs into subdirectory to make mkdocs work in a subdirectory
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2021-01-05 13:15:32 +01:00
Yannick Bungers
d52d1d255a
Merge pull request #655 from hedgedoc/remove-ie11
Remove IE11 support from README
2021-01-04 22:29:57 +01:00
David Mehren
642316abb1
Remove IE11 support from README
Apparently we have stopped supporting IE11. It shows a syntax error for our JS. I have spent half an hour trying to add IE11 to our Babel config, but that did not resolve the issue. It seems bigger changes to our Webpack config might be necessary to support IE11 again, which I don't think is worthwhile. It's probably reasonable to just remove IE from the list of supported browsers.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-04 22:21:51 +01:00
David Mehren
fdc86538c6
Merge pull request #650 from hedgedoc/mkdocs 2021-01-04 18:35:08 +01:00
Philip Molares
90371c1c00 added documentation about how the write, build and deploy this
documentation.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-04 14:26:39 +01:00
David Mehren
9f191bd58f
Merge pull request #646 from hedgedoc/kubernetes 2021-01-04 13:35:24 +01:00
Philip Molares
825d56f216 removed kubernetes from navigation
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-04 13:11:41 +01:00
Philip Molares
133416973d removed kubernetes from README
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-04 13:07:44 +01:00
Philip Molares
0911bf96e9 added all necessary configs to use structor
see https://github.com/traefik/structor

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-03 22:15:12 +01:00
Philip Molares
dfa12e52e6 remove old documentation
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-03 16:10:27 +01:00
Philip Molares
55d653a1a2 started work on a mkdocs documentation for readthedocs.org
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-03 16:00:25 +01:00
Philip Molares
d462675fc8 Update docs/setup/kubernetes.md
Co-authored-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-02 16:14:22 +01:00
Philip Molares
d7ef5e83c2 changed kubernetes setup doc
currently we don't provide our own and still linking to hackmd/codimd is
not helpful

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-02 11:01:34 +01:00
David Mehren
5b3d62e494
Fix typo in release notes
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 21:21:12 +01:00
David Mehren
7d2c433b1b
Bump version to 1.7.1
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 20:54:39 +01:00
David Mehren
591f0c10f0
Update yarn.lock
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 19:54:06 +01:00
David Mehren
e9306991cd
Merge pull request from GHSA-wcr3-xhv7-8gxc
Fix arbitrary file upload
2020-12-27 19:52:42 +01:00
David Mehren
6932cc4df7
Always save uploads to a tmpdir first and cleanup afterwards
This makes sure no unintended files are permanently saved.

Co-authored-by: Yannick Bungers <git@innay.de>
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 19:51:14 +01:00
David Mehren
cf4344d9e0
Improve MIME-type checks of uploaded files
This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 19:51:12 +01:00
Sheogorath
f83e4d66ed
Rework error messages for image uploads
This patch reworks the error messages for image uploads to make more
sense.

Instead of using the current `formidable error` for everything, all
custom error detection now provide the (hopefully) more useful `Image
Upload error` prefix for error messages.

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27 19:51:02 +01:00
Sheogorath
d097211c54
Fix unauthenticated file uploads
This patch fixes the issue of unauthenticated users, being able to
upload files, even when anonymous edits are disabled.

It's implemented by blocking uploads when either `allowAnonymous` is set
to `false` for all unauthenticated users, unless `allowAnonymousEdits`
is set to true, to make sure anonymous editors still experience the full
feature set.

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27 19:51:01 +01:00
Sheogorath
dc29a286e6
Fix arbitary file upload for uploadimage API endpoint
This patch fixes a security issue with all existing CodiMD and HedgeDoc
installation which allows arbitary file uploads to instances that expose
the `/uploadimage` API endpoint. With the patch it implies the same
restrictions on the MIME-types as the frontend does. Means only images
are allowed unless configured differently.

This issue was reported by Thomas Lambertz.

To verify if you are vulnerable or not, create two files `test.html` and
`test.png` and try to upload them to your hedgedoc installation.

```
curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage
curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage
```

Note: Not all backends are affected. Imgur and lutim should prevent this
by their own upload API. But S3, minio, filesystem and azure, will be at
risk.

Addition Note: When using filesystem instead of an external uploads
providers, there is a higher risk of code injections as the default CSP
do not block JS from the main domain.

References:
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27 19:51:01 +01:00
David Mehren
58276ebbf4
Merge pull request from GHSA-g6w6-7xf9-m95p
Don't store mermaid diagrams in innerHTML
2020-12-27 19:49:57 +01:00
David Mehren
c32b1cf42b
Don't store mermaid diagrams in innerHTML
Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements.
Using `.text()` instead mitigates this issue.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 10:14:27 +01:00
David Mehren
b23035c9a8
Merge pull request #640 from aptalca/patch-1
update linuxserver docker info
2020-12-27 10:12:11 +01:00
aptalca
b9c043bf6b update linuxserver docker info
Update badges and info to point to the newly published HedgeDoc image

Signed-off-by: aptalca <aptalca@linuxserver.io>
2020-12-24 17:00:31 -05:00
Yannick Bungers
89ecff4b1c
Merge pull request #637 from hedgedoc/improveConfigurationDocs
Update configuration.md
2020-12-22 20:57:48 +01:00
Philip Molares
a41d9e4c11 Update configuration.md
Added a more in depth example of how to set CMD_DB_URL or dbUrl

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2020-12-22 20:32:27 +01:00
David Mehren
23ade34cac
Merge pull request #636 from hedgedoc/Set-badge-to-SVG 2020-12-22 12:41:39 +01:00
ericgaspar
8dc215fd98
Set Install-with-yunohost bagde to SVG
Signed-off-by: ericgaspar <junk.eg@free.fr>
2020-12-21 23:28:56 +01:00
David Mehren
287e88bc74
Merge pull request #634 from hedgedoc/release/1.7.0 2020-12-21 22:53:48 +01:00
David Mehren
faf3010c39
Bump version to 1.7.0
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-21 21:36:40 +01:00
David Mehren
687fdf20cd
Add note about X-Forwarded-Proto to 1.7.0 release notes
This header needs to be set correctly if the reverse proxy terminates TLS, otherwise we don't send cookies.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-21 21:35:49 +01:00
David Mehren
e7409b265c
Merge release notes of 1.7.0-rc1 and rc2 into 1.7.0
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-21 21:28:53 +01:00
David Mehren
7273469022
Update yarn.lock
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-21 21:20:00 +01:00
David Mehren
6dde20942a
Merge pull request #632 from hedgedoc/webpack-css-contenthash
Generate CSS filenames with contenthash
2020-12-21 21:16:48 +01:00
David Mehren
96142bb21d
Merge pull request #633 from hedgedoc/fix-features-pdf-embed
Fix broken PDF embed in features page & explain embedding problems
2020-12-21 20:34:36 +01:00
David Mehren
a11d45ce27
Fix broken PDF embed in features page & explain embedding problems
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-21 17:20:33 +01:00
David Mehren
9f624d150c
Generate CSS filenames with contenthash
Previously, .css files always had the same name, which can lead to caching problems.
In our case, the new CSS for the HedgeDoc logo was not loaded when Chrome had the 1.6.0 CSS in the cache, leading the HedgeDoc logo filling the whole screen.
This commit adds the contenthash to the .css files generated by webpack, which ensures that changed files are always loaded.

References:
https://github.com/webpack-contrib/mini-css-extract-plugin#filename
https://webpack.js.org/configuration/output/#outputfilename
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-21 12:31:34 +01:00
David Mehren
96fbee3f86
Merge pull request #629 from hedgedoc/renovate/less-3.x
Update dependency less to v3.13.1
2020-12-21 11:43:15 +01:00
David Mehren
37b0c4b901
Merge pull request #627 from hedgedoc/renovate/copy-webpack-plugin-6.x
Update dependency copy-webpack-plugin to v6.4.1
2020-12-21 11:38:07 +01:00
Renovate Bot
4c1419a54e
Update dependency less to v3.13.1
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2020-12-18 15:54:19 +00:00
Renovate Bot
344f65ed2c
Update dependency copy-webpack-plugin to v6.4.1
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2020-12-16 13:54:40 +00:00