Commit a3160521 authored by Marcel Klehr's avatar Marcel Klehr
Browse files

Merge branch 'release/1.2.9'

parents 84401286 54433db4
# 1.2.9
* Fix: MAJOR Security issue, where a hacker could submit content as another user
* Fix: security issue due to unescaped user input
* Fix: Admin page at /admin redirects to /admin/ now to prevent breaking relative links
* Fix: indentation in chrome on linux
* Fix: PadUsers API endpoint
* NEW: A script to import data to all dbms
* NEW: Add authorId to chat and userlist as a data attribute
* NEW Refactor and fix our frontend tests
* NEW: Localisation updates
# 1.2.81
* Fix: CtrlZ-Y for Undo Redo
* Fix: RTL functionality on contents & fix RTL/LTR tests and RTL in Safari
......
var startTime = new Date().getTime();
require("ep_etherpad-lite/node_modules/npm").load({}, function(er,npm) {
var fs = require("fs");
var ueberDB = require("ep_etherpad-lite/node_modules/ueberDB");
var settings = require("ep_etherpad-lite/node/utils/Settings");
var log4js = require('ep_etherpad-lite/node_modules/log4js');
var dbWrapperSettings = {
cache: 0,
writeInterval: 100,
json: false // data is already json encoded
};
var db = new ueberDB.database(settings.dbType, settings.dbSettings, dbWrapperSettings, log4js.getLogger("ueberDB"));
var sqlFile = process.argv[2];
//stop if the settings file is not set
if(!sqlFile)
{
console.error("Use: node importSqlFile.js $SQLFILE");
process.exit(1);
}
log("initializing db");
db.init(function(err)
{
//there was an error while initializing the database, output it and stop
if(err)
{
console.error("ERROR: Problem while initalizing the database");
console.error(err.stack ? err.stack : err);
process.exit(1);
}
else
{
log("done");
log("open output file...");
var lines = fs.readFileSync(sqlFile, 'utf8').split("\n");
var count = lines.length;
var keyNo = 0;
process.stdout.write("Start importing " + count + " keys...\n");
lines.forEach(function(l) {
if (l.substr(0, 27) == "REPLACE INTO store VALUES (") {
var pos = l.indexOf("', '");
var key = l.substr(28, pos - 28);
var value = l.substr(pos + 3);
value = value.substr(0, value.length - 2);
console.log("key: " + key + " val: " + value);
console.log("unval: " + unescape(value));
db.set(key, unescape(value), null);
keyNo++;
if (keyNo % 1000 == 0) {
process.stdout.write(" " + keyNo + "/" + count + "\n");
}
}
});
process.stdout.write("\n");
process.stdout.write("done. waiting for db to finish transaction. depended on dbms this may take some time...\n");
db.doShutdown(function() {
log("finished, imported " + keyNo + " keys.");
process.exit(0);
});
}
});
});
function log(str)
{
console.log((new Date().getTime() - startTime)/1000 + "\t" + str);
}
unescape = function(val) {
// value is a string
if (val.substr(0, 1) == "'") {
val = val.substr(0, val.length - 1).substr(1);
return val.replace(/\\[0nrbtZ\\'"]/g, function(s) {
switch(s) {
case "\\0": return "\0";
case "\\n": return "\n";
case "\\r": return "\r";
case "\\b": return "\b";
case "\\t": return "\t";
case "\\Z": return "\x1a";
default: return s.substr(1);
}
});
}
// value is a boolean or NULL
if (val == 'NULL') {
return null;
}
if (val == 'true') {
return true;
}
if (val == 'false') {
return false;
}
// value is a number
return val;
};
......@@ -23,6 +23,7 @@
{ "name": "adminsettings", "hooks": {
"expressCreateServer": "ep_etherpad-lite/node/hooks/express/adminsettings:expressCreateServer",
"socketio": "ep_etherpad-lite/node/hooks/express/adminsettings:socketio" }
}
},
{ "name": "swagger", "hooks": { "expressCreateServer": "ep_etherpad-lite/node/hooks/express/swagger:expressCreateServer" } }
]
}
......@@ -2,7 +2,8 @@
"@metadata": {
"authors": {
"0": "BMRG14",
"2": "ZxxZxxZ"
"1": "Dalba",
"3": "ZxxZxxZ"
}
},
"index.newPad": "\u062f\u0641\u062a\u0631\u0686\u0647 \u06cc\u0627\u062f\u062f\u0627\u0634\u062a \u062a\u0627\u0632\u0647",
......@@ -20,7 +21,7 @@
"pad.toolbar.clearAuthorship.title": "\u067e\u0627\u06a9 \u06a9\u0631\u062f\u0646 \u0631\u0646\u06af\u200c\u0647\u0627\u06cc \u0646\u0648\u06cc\u0633\u0646\u062f\u06af\u06cc",
"pad.toolbar.import_export.title": "\u062f\u0631\u0648\u0646\u200c\u0631\u06cc\u0632\u06cc\/\u0628\u0631\u0648\u0646\u200c\u0631\u06cc\u0632\u06cc \u0627\u0632\/\u0628\u0647 \u0642\u0627\u0644\u0628\u200c\u0647\u0627\u06cc \u0645\u062e\u062a\u0644\u0641",
"pad.toolbar.timeslider.title": "\u0627\u0633\u0644\u0627\u06cc\u062f\u0631 \u0632\u0645\u0627\u0646",
"pad.toolbar.savedRevision.title": "\u0628\u0627\u0632\u0646\u0648\u06cc\u0633\u06cc\u200c\u0647\u0627\u06cc \u0630\u062e\u06cc\u0631\u0647 \u0634\u062f\u0647",
"pad.toolbar.savedRevision.title": "\u0630\u062e\u06cc\u0631\u0647\u200c\u0633\u0627\u0632\u06cc \u0646\u0633\u062e\u0647",
"pad.toolbar.settings.title": "\u062a\u0646\u0638\u06cc\u0645\u0627\u062a",
"pad.toolbar.embed.title": "\u062c\u0627\u0633\u0627\u0632\u06cc \u0627\u06cc\u0646 \u062f\u0641\u062a\u0631\u0686\u0647 \u06cc\u0627\u062f\u062f\u0627\u0634\u062a",
"pad.toolbar.showusers.title": "\u0646\u0645\u0627\u06cc\u0634 \u06a9\u0627\u0631\u0628\u0631\u0627\u0646 \u062f\u0631 \u0627\u06cc\u0646 \u062f\u0641\u062a\u0631\u0686\u0647 \u06cc\u0627\u062f\u062f\u0627\u0634\u062a",
......@@ -79,6 +80,7 @@
"pad.share.emebdcode": "\u062c\u0627\u0633\u0627\u0632\u06cc \u0646\u0634\u0627\u0646\u06cc",
"pad.chat": "\u06af\u0641\u062a\u06af\u0648",
"pad.chat.title": "\u0628\u0627\u0632\u06a9\u0631\u062f\u0646 \u06af\u0641\u062a\u06af\u0648 \u0628\u0631\u0627\u06cc \u0627\u06cc\u0646 \u062f\u0641\u062a\u0631\u0686\u0647 \u06cc\u0627\u062f\u062f\u0627\u0634\u062a",
"pad.chat.loadmessages": "\u0628\u0627\u0631\u06af\u06cc\u0631\u06cc \u067e\u06cc\u0627\u0645\u200c\u0647\u0627\u06cc \u0628\u06cc\u0634\u062a\u0631",
"timeslider.pageTitle": "\u0627\u0633\u0644\u0627\u06cc\u062f\u0631 \u0632\u0645\u0627\u0646 {{appTitle}}",
"timeslider.toolbar.returnbutton": "\u0628\u0627\u0632\u06af\u0634\u062a \u0628\u0647 \u062f\u0641\u062a\u0631\u0686\u0647 \u06cc\u0627\u062f\u062f\u0627\u0634\u062a",
"timeslider.toolbar.authors": "\u0646\u0648\u06cc\u0633\u0646\u062f\u06af\u0627\u0646:",
......@@ -100,6 +102,8 @@
"timeslider.month.october": "\u0627\u06a9\u062a\u0628\u0631",
"timeslider.month.november": "\u0646\u0648\u0627\u0645\u0628\u0631",
"timeslider.month.december": "\u062f\u0633\u0627\u0645\u0628\u0631",
"timeslider.unnamedauthor": "{{num}} \u0646\u0648\u06cc\u0633\u0646\u062f\u0647\u0654 \u0628\u06cc\u200c\u0646\u0627\u0645",
"timeslider.unnamedauthors": "{{num}} \u0646\u0648\u06cc\u0633\u0646\u062f\u0647\u0654 \u0628\u06cc\u200c\u0646\u0627\u0645",
"pad.savedrevs.marked": "\u0627\u06cc\u0646 \u0628\u0627\u0632\u0646\u0648\u06cc\u0633\u06cc \u0647\u0645 \u0627\u06a9\u0646\u0648\u0646 \u0628\u0647 \u0639\u0646\u0648\u0627\u0646 \u0630\u062e\u06cc\u0631\u0647 \u0634\u062f\u0647 \u0639\u0644\u0627\u0645\u062a\u200c\u06af\u0630\u0627\u0631\u06cc \u0634\u062f",
"pad.userlist.entername": "\u0646\u0627\u0645 \u062e\u0648\u062f \u0631\u0627 \u0628\u0646\u0648\u06cc\u0633\u06cc\u062f",
"pad.userlist.unnamed": "\u0628\u062f\u0648\u0646 \u0646\u0627\u0645",
......
......@@ -19,13 +19,16 @@
"pad.toolbar.clearAuthorship.title": "Rader colores de autor",
"pad.toolbar.import_export.title": "Importar\/exportar in differente formatos de file",
"pad.toolbar.timeslider.title": "Glissa-tempore",
"pad.toolbar.savedRevision.title": "Versiones salveguardate",
"pad.toolbar.savedRevision.title": "Version salveguardate",
"pad.toolbar.settings.title": "Configuration",
"pad.toolbar.embed.title": "Incorporar iste pad",
"pad.toolbar.showusers.title": "Monstrar le usatores de iste pad",
"pad.colorpicker.save": "Salveguardar",
"pad.colorpicker.cancel": "Cancellar",
"pad.loading": "Cargamento\u2026",
"pad.passwordRequired": "Un contrasigno es necessari pro acceder a iste pad",
"pad.permissionDenied": "Tu non ha le permission de acceder a iste pad",
"pad.wrongPassword": "Le contrasigno es incorrecte",
"pad.settings.padSettings": "Configuration del pad",
"pad.settings.myView": "Mi vista",
"pad.settings.stickychat": "Chat sempre visibile",
......@@ -38,6 +41,7 @@
"pad.settings.language": "Lingua:",
"pad.importExport.import_export": "Importar\/Exportar",
"pad.importExport.import": "Incargar qualcunque file de texto o documento",
"pad.importExport.importSuccessful": "Succedite!",
"pad.importExport.export": "Exportar le pad actual como:",
"pad.importExport.exporthtml": "HTML",
"pad.importExport.exportplain": "Texto simple",
......@@ -45,9 +49,11 @@
"pad.importExport.exportpdf": "PDF",
"pad.importExport.exportopen": "ODF (Open Document Format)",
"pad.importExport.exportdokuwiki": "DokuWiki",
"pad.importExport.abiword.innerHTML": "Tu pote solmente importar files in formato de texto simple o HTML. Pro functionalitate de importation plus extense, <a href=\"https:\/\/github.com\/ether\/etherpad-lite\/wiki\/How-to-enable-importing-and-exporting-different-file-formats-in-Ubuntu-or-OpenSuse-or-SLES-with-AbiWord\">installa AbiWord<\/a>.",
"pad.modals.connected": "Connectite.",
"pad.modals.reconnecting": "Reconnecte a tu pad\u2026",
"pad.modals.forcereconnect": "Fortiar reconnexion",
"pad.modals.userdup": "Aperte in un altere fenestra",
"pad.modals.userdup.explanation": "Iste pad pare esser aperte in plus de un fenestra de navigator in iste computator.",
"pad.modals.userdup.advice": "Reconnecte pro usar iste fenestra.",
"pad.modals.unauth": "Non autorisate",
......@@ -72,11 +78,16 @@
"pad.share.emebdcode": "Codice de incorporation",
"pad.chat": "Chat",
"pad.chat.title": "Aperir le chat pro iste pad.",
"pad.chat.loadmessages": "Cargar plus messages",
"timeslider.pageTitle": "Glissa-tempore pro {{appTitle}}",
"timeslider.toolbar.returnbutton": "Retornar al pad",
"timeslider.toolbar.authors": "Autores:",
"timeslider.toolbar.authorsList": "Nulle autor",
"timeslider.toolbar.exportlink.title": "Exportar",
"timeslider.exportCurrent": "Exportar le version actual como:",
"timeslider.version": "Version {{version}}",
"timeslider.saved": "Salveguardate le {{day}} de {{month}} {{year}}",
"timeslider.dateformat": "{{year}}-{{month}}-{{day}} {{hours}}:{{minutes}}:{{seconds}}",
"timeslider.month.january": "januario",
"timeslider.month.february": "februario",
"timeslider.month.march": "martio",
......@@ -88,5 +99,22 @@
"timeslider.month.september": "septembre",
"timeslider.month.october": "octobre",
"timeslider.month.november": "novembre",
"timeslider.month.december": "decembre"
"timeslider.month.december": "decembre",
"timeslider.unnamedauthor": "{{num}} autor sin nomine",
"timeslider.unnamedauthors": "{{num}} autores sin nomine",
"pad.savedrevs.marked": "Iste version es ora marcate como version salveguardate",
"pad.userlist.entername": "Entra tu nomine",
"pad.userlist.unnamed": "sin nomine",
"pad.userlist.guest": "Invitato",
"pad.userlist.deny": "Refusar",
"pad.userlist.approve": "Approbar",
"pad.editbar.clearcolors": "Rader le colores de autor in tote le documento?",
"pad.impexp.importbutton": "Importar ora",
"pad.impexp.importing": "Importation in curso\u2026",
"pad.impexp.confirmimport": "Le importation de un file superscribera le texto actual del pad. Es tu secur de voler continuar?",
"pad.impexp.convertFailed": "Nos non ha potite importar iste file. Per favor usa un altere formato de documento o copia e colla le texto manualmente.",
"pad.impexp.uploadFailed": "Le incargamento ha fallite. Per favor reproba.",
"pad.impexp.importfailed": "Importation fallite",
"pad.impexp.copypaste": "Per favor copia e colla",
"pad.impexp.exportdisabled": "Le exportation in formato {{type}} es disactivate. Per favor contacta le administrator del systema pro detalios."
}
\ No newline at end of file
......@@ -26,6 +26,7 @@
"pad.colorpicker.save": "\u0c2d\u0c26\u0c4d\u0c30\u0c2a\u0c30\u0c1a\u0c41",
"pad.colorpicker.cancel": "\u0c30\u0c26\u0c4d\u0c26\u0c41\u0c1a\u0c47\u0c2f\u0c3f",
"pad.loading": "\u0c32\u0c4b\u0c21\u0c35\u0c41\u0c24\u0c4b\u0c02\u0c26\u0c3f...",
"pad.wrongPassword": "\u0c2e\u0c40 \u0c30\u0c39\u0c38\u0c4d\u0c2f\u0c2a\u0c26\u0c02 \u0c24\u0c2a\u0c41",
"pad.settings.padSettings": "\u0c2a\u0c32\u0c15 \u0c05\u0c2e\u0c30\u0c3f\u0c15\u0c32\u0c41",
"pad.settings.myView": "\u0c28\u0c3e \u0c09\u0c26\u0c4d\u0c26\u0c47\u0c36\u0c4d\u0c2f\u0c2e\u0c41",
"pad.settings.stickychat": "\u0c24\u0c46\u0c30\u0c2a\u0c48\u0c28\u0c47 \u0c2e\u0c3e\u0c1f\u0c3e\u0c2e\u0c02\u0c24\u0c3f\u0c28\u0c3f \u0c0e\u0c32\u0c4d\u0c32\u0c2a\u0c41\u0c21\u0c41 \u0c1a\u0c47\u0c2f\u0c41\u0c2e\u0c41",
......
......@@ -219,6 +219,9 @@ var version =
// set the latest available API version here
exports.latestApiVersion = '1.2.7';
// exports the versions so it can be used by the new Swagger endpoint
exports.version = version;
/**
* Handles a HTTP API call
* @param functionName the name of the called function
......@@ -266,6 +269,8 @@ exports.handle = function(apiVersion, functionName, fields, req, res)
}
//check the api key!
fields["apikey"] = fields["apikey"] || fields["api_key"];
if(fields["apikey"] != apikey.trim())
{
res.send({code: 4, message: "no or wrong API Key", data: null});
......
......@@ -550,11 +550,25 @@ function handleUserChanges(client, message)
throw "Attribute pool is missing attribute "+n+" for changeset "+changeset;
}
});
// Validate all added 'author' attribs to be the same value as the current user
var iterator = Changeset.opIterator(Changeset.unpack(changeset).ops)
, op
while(iterator.hasNext()) {
op = iterator.next()
if(op.opcode != '+') continue;
op.attribs.split('*').forEach(function(attr) {
if(!attr) return
attr = wireApool.getAttrib(attr)
if(!attr) return
if('author' == attr[0] && attr[1] != thisSession.author) throw "Trying to submit changes as another author"
})
}
}
catch(e)
{
// There is an error in this changeset, so just refuse it
console.warn("Can't apply USER_CHANGES "+changeset+", because it failed checkRep");
console.warn("Can't apply USER_CHANGES "+changeset+", because: "+e);
client.json.send({disconnect:"badChangeset"});
return;
}
......@@ -1448,7 +1462,7 @@ exports.padUsersCount = function (padID, callback) {
exports.padUsers = function (padID, callback) {
var result = [];
async.forEach(socketio.sockets.clients(padId), function(roomClient, callback) {
async.forEach(socketio.sockets.clients(padID), function(roomClient, callback) {
var s = sessioninfos[roomClient.id];
if(s) {
authorManager.getAuthor(s.author, function(err, author) {
......
......@@ -2,6 +2,7 @@ var eejs = require('ep_etherpad-lite/node/eejs');
exports.expressCreateServer = function (hook_name, args, cb) {
args.app.get('/admin', function(req, res) {
if('/' != req.path[req.path.length-1]) return res.redirect('/admin/');
res.send( eejs.require("ep_etherpad-lite/templates/admin/index.html", {}) );
});
}
......
var log4js = require('log4js');
var express = require('express');
var apiHandler = require('../../handler/APIHandler');
var apiCaller = require('./apicalls').apiCaller;
var settings = require("../../utils/Settings");
var swaggerModels = {
'models': {
'SessionInfo' : {
"id": 'SessionInfo',
"properties": {
"id": {
"type": "string"
},
"authorID": {
"type": "string"
},
"groupID":{
"type":"string"
},
"validUntil":{
"type":"long"
}
}
},
'UserInfo' : {
"id": 'UserInfo',
"properties": {
"id": {
"type": "string"
},
"colorId": {
"type": "string"
},
"name":{
"type":"string"
},
"timestamp":{
"type":"long"
}
}
},
'Message' : {
"id": 'Message',
"properties": {
"text": {
"type": "string"
},
"userId": {
"type": "string"
},
"userName":{
"type":"string"
},
"time":{
"type":"long"
}
}
}
}
};
function sessionListResponseProcessor(res) {
if (res.data) {
var sessions = [];
for (var sessionId in res.data) {
var sessionInfo = res.data[sessionId];
sessionId["id"] = sessionId;
sessions.push(sessionInfo);
}
res.data = sessions;
}
return res;
}
// We'll add some more info to the API methods
var API = {
// Group
"group": {
"create" : {
"func" : "createGroup",
"description": "creates a new group",
"response": {"groupID":{"type":"string"}}
},
"createIfNotExistsFor" : {
"func": "createGroupIfNotExistsFor",
"description": "this functions helps you to map your application group ids to etherpad lite group ids",
"response": {"groupID":{"type":"string"}}
},
"delete" : {
"func": "deleteGroup",
"description": "deletes a group"
},
"listPads" : {
"func": "listPads",
"description": "returns all pads of this group",
"response": {"padIDs":{"type":"List", "items":{"type":"string"}}}
},
"createPad" : {
"func": "createGroupPad",
"description": "creates a new pad in this group"
},
"listSessions": {
"func": "listSessionsOfGroup",
"responseProcessor": sessionListResponseProcessor,
"description": "",
"response": {"sessions":{"type":"List", "items":{"type":"SessionInfo"}}}
},
"list": {
"func": "listAllGroups",
"description": "",
"response": {"groupIDs":{"type":"List", "items":{"type":"string"}}}
},
},
// Author
"author": {
"create" : {
"func" : "createAuthor",
"description": "creates a new author",
"response": {"authorID":{"type":"string"}}
},
"createIfNotExistsFor": {
"func": "createAuthorIfNotExistsFor",
"description": "this functions helps you to map your application author ids to etherpad lite author ids",
"response": {"authorID":{"type":"string"}}
},
"listPads": {
"func": "listPadsOfAuthor",
"description": "returns an array of all pads this author contributed to",
"response": {"padIDs":{"type":"List", "items":{"type":"string"}}}
},
"listSessions": {
"func": "listSessionsOfAuthor",
"responseProcessor": sessionListResponseProcessor,
"description": "returns all sessions of an author",
"response": {"sessions":{"type":"List", "items":{"type":"SessionInfo"}}}
},
// We need an operation that return a UserInfo so it can be picked up by the codegen :(
"getName" : {
"func": "getAuthorName",
"description": "Returns the Author Name of the author",
"responseProcessor": function(response) {
if (response.data) {
response["info"] = {"name": response.data.authorName};
delete response["data"];
}
},
"response": {"info":{"type":"UserInfo"}}
}
},
"session": {
"create" : {
"func": "createSession",
"description": "creates a new session. validUntil is an unix timestamp in seconds",
"response": {"sessionID":{"type":"string"}}
},
"delete" : {
"func": "deleteSession",
"description": "deletes a session"
},
// We need an operation that returns a SessionInfo so it can be picked up by the codegen :(
"info": {
"func": "getSessionInfo",
"description": "returns informations about a session",
"responseProcessor": function(response) {
// move this to info
if (response.data) {
response["info"] = response.data;
delete response["data"];
}
},
"response": {"info":{"type":"SessionInfo"}}
}
},
"pad": {
"listAll" : {
"func": "listAllPads",
"description": "list all the pads",
"response": {"padIDs":{"type":"List", "items": {"type" : "string"}}}
},
"createDiffHTML" : {
"func" : "createDiffHTML",
"description": "",
"response": {}
},
"create" : {
"func" : "createPad",
"description": "creates a new (non-group) pad. Note that if you need to create a group Pad, you should call createGroupPad"
},
"getText" : {
"func" : "getText",
"description": "returns the text of a pad",
"response": {"text":{"type":"string"}}
},
"setText" : {
"func" : "setText",
"description": "sets the text of a pad"
},
"getHTML": {
"func" : "getHTML",
"description": "returns the text of a pad formatted as HTML",
"response": {"html":{"type":"string"}}
},
"setHTML": {
"func" : "setHTML",
"description": "sets the text of a pad with HTML"
},
"getRevisionsCount": {
"func" : "getRevisionsCount",
"description": "returns the number of revisions of this pad",
"response": {"revisions":{"type":"long"}}
},
"getLastEdited": {
"func" : "getLastEdited",
"description": "returns the timestamp of the last revision of the pad",
"response": {"lastEdited":{"type":"long"}}
},
"delete": {
"func" : "deletePad",
"description": "deletes a pad"
},
"getReadOnlyID": {
"func" : "getReadOnlyID",
"description": "returns the read only link of a pad",
"response": {"readOnlyID":{"type":"string"}}
},
"setPublicStatus": {
"func": "setPublicStatus",
"description": "sets a boolean for the public status of a pad"
},
"getPublicStatus": {
"func": "getPublicStatus",
"description": "return true of false",
"response": {"publicStatus":{"type":"boolean"}}
},
"setPassword": {
"func": "setPassword",
"description": "returns ok or a error message"
},
"isPasswordProtected": {
"func": "isPasswordProtected",
"description": "returns true or false",
"response": {"passwordProtection":{"type":"boolean"}}
},
"authors": {
"func": "listAuthorsOfPad",
"description": "returns an array of authors who contributed to this pad",
"response": {"authorIDs":{"type":"List", "items":{"type" : "string"}}}
},