Commit graph

2810 commits

Author SHA1 Message Date
David Mehren
7d2c433b1b
Bump version to 1.7.1
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 20:54:39 +01:00
David Mehren
591f0c10f0
Update yarn.lock
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 19:54:06 +01:00
David Mehren
e9306991cd
Merge pull request from GHSA-wcr3-xhv7-8gxc
Fix arbitrary file upload
2020-12-27 19:52:42 +01:00
David Mehren
6932cc4df7
Always save uploads to a tmpdir first and cleanup afterwards
This makes sure no unintended files are permanently saved.

Co-authored-by: Yannick Bungers <git@innay.de>
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 19:51:14 +01:00
David Mehren
cf4344d9e0
Improve MIME-type checks of uploaded files
This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 19:51:12 +01:00
Sheogorath
f83e4d66ed
Rework error messages for image uploads
This patch reworks the error messages for image uploads to make more
sense.

Instead of using the current `formidable error` for everything, all
custom error detection now provide the (hopefully) more useful `Image
Upload error` prefix for error messages.

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27 19:51:02 +01:00
Sheogorath
d097211c54
Fix unauthenticated file uploads
This patch fixes the issue of unauthenticated users, being able to
upload files, even when anonymous edits are disabled.

It's implemented by blocking uploads when either `allowAnonymous` is set
to `false` for all unauthenticated users, unless `allowAnonymousEdits`
is set to true, to make sure anonymous editors still experience the full
feature set.

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27 19:51:01 +01:00
Sheogorath
dc29a286e6
Fix arbitary file upload for uploadimage API endpoint
This patch fixes a security issue with all existing CodiMD and HedgeDoc
installation which allows arbitary file uploads to instances that expose
the `/uploadimage` API endpoint. With the patch it implies the same
restrictions on the MIME-types as the frontend does. Means only images
are allowed unless configured differently.

This issue was reported by Thomas Lambertz.

To verify if you are vulnerable or not, create two files `test.html` and
`test.png` and try to upload them to your hedgedoc installation.

```
curl -X POST -F "image=@$(pwd)/test.html" http://localhost:3000/uploadimage
curl -X POST -F "image=@$(pwd)/test.png" http://localhost:3000/uploadimage
```

Note: Not all backends are affected. Imgur and lutim should prevent this
by their own upload API. But S3, minio, filesystem and azure, will be at
risk.

Addition Note: When using filesystem instead of an external uploads
providers, there is a higher risk of code injections as the default CSP
do not block JS from the main domain.

References:
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2020-12-27 19:51:01 +01:00
David Mehren
58276ebbf4
Merge pull request from GHSA-g6w6-7xf9-m95p
Don't store mermaid diagrams in innerHTML
2020-12-27 19:49:57 +01:00
David Mehren
c32b1cf42b
Don't store mermaid diagrams in innerHTML
Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements.
Using `.text()` instead mitigates this issue.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 10:14:27 +01:00
David Mehren
b23035c9a8
Merge pull request #640 from aptalca/patch-1
update linuxserver docker info
2020-12-27 10:12:11 +01:00
aptalca
b9c043bf6b update linuxserver docker info
Update badges and info to point to the newly published HedgeDoc image

Signed-off-by: aptalca <aptalca@linuxserver.io>
2020-12-24 17:00:31 -05:00
Yannick Bungers
89ecff4b1c
Merge pull request #637 from hedgedoc/improveConfigurationDocs
Update configuration.md
2020-12-22 20:57:48 +01:00
Philip Molares
a41d9e4c11 Update configuration.md
Added a more in depth example of how to set CMD_DB_URL or dbUrl

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2020-12-22 20:32:27 +01:00
David Mehren
23ade34cac
Merge pull request #636 from hedgedoc/Set-badge-to-SVG 2020-12-22 12:41:39 +01:00
ericgaspar
8dc215fd98
Set Install-with-yunohost bagde to SVG
Signed-off-by: ericgaspar <junk.eg@free.fr>
2020-12-21 23:28:56 +01:00
David Mehren
287e88bc74
Merge pull request #634 from hedgedoc/release/1.7.0 2020-12-21 22:53:48 +01:00
David Mehren
faf3010c39
Bump version to 1.7.0
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-21 21:36:40 +01:00
David Mehren
687fdf20cd
Add note about X-Forwarded-Proto to 1.7.0 release notes
This header needs to be set correctly if the reverse proxy terminates TLS, otherwise we don't send cookies.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-21 21:35:49 +01:00
David Mehren
e7409b265c
Merge release notes of 1.7.0-rc1 and rc2 into 1.7.0
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-21 21:28:53 +01:00
David Mehren
7273469022
Update yarn.lock
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-21 21:20:00 +01:00
David Mehren
6dde20942a
Merge pull request #632 from hedgedoc/webpack-css-contenthash
Generate CSS filenames with contenthash
2020-12-21 21:16:48 +01:00
David Mehren
96142bb21d
Merge pull request #633 from hedgedoc/fix-features-pdf-embed
Fix broken PDF embed in features page & explain embedding problems
2020-12-21 20:34:36 +01:00
David Mehren
a11d45ce27
Fix broken PDF embed in features page & explain embedding problems
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-21 17:20:33 +01:00
David Mehren
9f624d150c
Generate CSS filenames with contenthash
Previously, .css files always had the same name, which can lead to caching problems.
In our case, the new CSS for the HedgeDoc logo was not loaded when Chrome had the 1.6.0 CSS in the cache, leading the HedgeDoc logo filling the whole screen.
This commit adds the contenthash to the .css files generated by webpack, which ensures that changed files are always loaded.

References:
https://github.com/webpack-contrib/mini-css-extract-plugin#filename
https://webpack.js.org/configuration/output/#outputfilename
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-21 12:31:34 +01:00
David Mehren
96fbee3f86
Merge pull request #629 from hedgedoc/renovate/less-3.x
Update dependency less to v3.13.1
2020-12-21 11:43:15 +01:00
David Mehren
37b0c4b901
Merge pull request #627 from hedgedoc/renovate/copy-webpack-plugin-6.x
Update dependency copy-webpack-plugin to v6.4.1
2020-12-21 11:38:07 +01:00
Renovate Bot
4c1419a54e
Update dependency less to v3.13.1
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2020-12-18 15:54:19 +00:00
Renovate Bot
344f65ed2c
Update dependency copy-webpack-plugin to v6.4.1
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2020-12-16 13:54:40 +00:00
Yannick Bungers
276ae10c7f
Merge pull request #625 from hedgedoc/apache-docs 2020-12-13 20:18:53 +01:00
David Mehren
22d2bf00fc
Fix typo in reverse proxy docs
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-13 19:09:41 +01:00
David Mehren
2f5ca84605
Document reverse proxy config for Apache
As we found out in #616, Apache does not set the `X-Forwarded-Proto` header, which is now required because we switched to secure cookies in 383d791a50.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-13 19:09:34 +01:00
David Mehren
70ff301e15
Merge pull request #622 from hedgedoc/renovate/less-3.x
Update dependency less to v3.13.0
2020-12-13 18:57:19 +01:00
Renovate Bot
b4c6f3b22f
Update dependency less to v3.13.0
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2020-12-12 02:11:41 +00:00
David Mehren
e9973a28d4
Merge pull request #619 from hedgedoc/renovate/copy-webpack-plugin-6.x
Update dependency copy-webpack-plugin to v6.4.0
2020-12-11 17:45:51 +01:00
Renovate Bot
e4ce3cfc19
Update dependency copy-webpack-plugin to v6.4.0
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2020-12-07 15:43:22 +00:00
David Mehren
2338a98731
Merge pull request #613 from nidico/patch-1
Fix some typos in history.md
2020-12-03 22:18:50 +01:00
David Mehren
81e463250d
Release 1.7.0-rc2
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-02 23:15:56 +01:00
David Mehren
35f5dfa866
Update yarn.lock
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-02 21:04:29 +01:00
David Mehren
0989ae426e
Merge pull request #609 from hedgedoc/fix/oauth2-auth
Fix crash when OAuth2 config parameters are missing
2020-12-02 20:48:12 +01:00
David Mehren
ee227d3c00
Merge pull request #610 from hedgedoc/fix/migration-error-message 2020-12-02 20:42:07 +01:00
Tilman Vatteroth
0318ce3e83
Add missing catch
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2020-12-02 19:39:06 +01:00
Tilman Vatteroth
120225947f
Catch more errors
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2020-12-02 17:22:27 +01:00
David Mehren
df0482ea68
Merge pull request #614 from hedgedoc/update-pr-template-labels
Update issue templates to use the new labels
2020-12-02 15:52:23 +01:00
David Mehren
eb727810b5
Update issue templates to use the new labels
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-01 21:14:11 +01:00
David Mehren
0e8e213256
Merge pull request #605 from hedgedoc/YunoHost-link-update
Update yunohost.md
2020-12-01 10:15:43 +01:00
Nicolas Dietrich
0195d074a8
Fix some typos in history.md 2020-12-01 00:32:48 +01:00
David Mehren
3f86ffb882
Merge pull request #611 from hedgedoc/fix/renovate-label
Change label used by renovate to "type: maintenance"
2020-11-30 18:37:35 +01:00
Tilman Vatteroth
8600c2dae6
Change label used by renovate to "type: maintenance"
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2020-11-30 18:24:43 +01:00
Tilman Vatteroth
4ae80a3ed0
[Migrations] Replace similar code
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2020-11-30 17:39:50 +01:00