Release version 1.8.0

.dockerignore

@@ -0,0 +1,3 @@
+.hg
+settings.json
+src/node_modules

CHANGELOG.md

@@ -1,3 +1,7 @@
+# 1.8
+* SECURITY: change referrer policy so that Etherpad addresses aren't leaked when links are clicked (discussion: https://github.com/ether/etherpad-lite/pull/3636)
+* SECURITY: set the "secure" flag for the session cookies when served over SSL. From now on it will not be possible to serve the same instance both in cleartext and over SSL
+
 # 1.8-beta.1
 * FEATURE: code was migrated to `async`/`await`, getting rid of a lot of callbacks (see https://github.com/ether/etherpad-lite/issues/3540)
 * FEATURE: support configuration via environment variables

docker/Dockerfile → Dockerfile

@@ -1,18 +1,12 @@
 # Etherpad Lite Dockerfile
 #
-# https://github.com/ether/etherpad-docker
+# https://github.com/ether/etherpad-lite
 #
 # Author: muxator
-#
-# Version 0.1
 
 FROM node:10-buster-slim
 LABEL maintainer="Etherpad team, https://github.com/ether/etherpad-lite"
 
-# git hash of the version to be built.
-# If not given, build the latest development version.
-ARG ETHERPAD_VERSION=develop
-
 # plugins to install while building the container. By default no plugins are
 # installed.
 # If given a value, it has to be a space-separated, quoted list of plugin names.
@@ -25,24 +19,20 @@ ARG ETHERPAD_PLUGINS=
 # this can be done with build args (and is mandatory to build ARM version)
 ENV NODE_ENV=development
 
-# grab the ETHERPAD_VERSION tarball from github (no need to clone the whole
-# repository)
-RUN echo "Getting version: ${ETHERPAD_VERSION}" && \
-	curl \
-		--location \
-		--fail \
-		--silent \
-		--show-error \
-		--output /opt/etherpad-lite.tar.gz \
-		https://github.com/ether/etherpad-lite/archive/"${ETHERPAD_VERSION}".tar.gz && \
-	mkdir /opt/etherpad-lite && \
-	tar xf /opt/etherpad-lite.tar.gz \
-		--directory /opt/etherpad-lite \
-		--strip-components=1 && \
-	rm /opt/etherpad-lite.tar.gz
+# Follow the principle of least privilege: run as unprivileged user.
+#
+# Running as non-root enables running this image in platforms like OpenShift
+# that do not allow images running as root.
+RUN useradd --uid 5001 --create-home etherpad
+
+RUN mkdir /opt/etherpad-lite && chown etherpad:etherpad /opt/etherpad-lite
+
+USER etherpad:etherpad
 
 WORKDIR /opt/etherpad-lite
 
+COPY --chown=etherpad:etherpad ./ ./
+
 # install node dependencies for Etherpad
 RUN bin/installDeps.sh && \
 	rm -rf ~/.npm/_cacache
@@ -54,18 +44,7 @@ RUN bin/installDeps.sh && \
 RUN for PLUGIN_NAME in ${ETHERPAD_PLUGINS}; do npm install "${PLUGIN_NAME}"; done
 
 # Copy the configuration file.
-COPY ./settings.json /opt/etherpad-lite/
-
-# Follow the principle of least privilege: run as unprivileged user.
-#
-# Running as non-root enables running this image in platforms like OpenShift
-# that do not allow images running as root.
-RUN \
-    echo 'etherpad:x:65534:65534:etherpad:/:' > /etc/passwd && \
-    echo 'etherpad:x:65534:' > /etc/group && \
-    chown -R etherpad:etherpad ./
-
-USER etherpad
+COPY --chown=etherpad:etherpad ./settings.json.docker /opt/etherpad-lite/settings.json
 
 EXPOSE 9001
 CMD ["node", "node_modules/ep_etherpad-lite/node/server.js"]

README.md

@@ -1,4 +1,5 @@
 # A real-time collaborative editor for the web
+<a href="https://hub.docker.com/r/etherpad/etherpad"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/etherpad/etherpad"></a>
 ![Demo Etherpad Animated Jif](https://i.imgur.com/zYrGkg3.gif "Etherpad in action")
 
 # About
@@ -61,6 +62,10 @@ If cloning to a subdirectory within another project, you may need to do the foll
 2. Edit the db `filename` in `settings.json` to the relative directory with the file (e.g. `application/lib/etherpad-lite/var/dirty.db`)
 3. Add auto-generated files to the main project `.gitignore`
 
+## Docker container
+
+Find [here](doc/docker.md) information on running Etherpad in a container.
+
 # Next Steps
 
 ## Tweak the settings

bin/cleanRun.sh

@@ -9,7 +9,7 @@ if [ -d "../bin" ]; then
 fi
 
 ignoreRoot=0
-for ARG in $*
+for ARG in "$@"
 do
   if [ "$ARG" = "--root" ]; then
     ignoreRoot=1
@@ -32,10 +32,10 @@ fi
 rm -rf src/node_modules
 
 #Prepare the environment
-bin/installDeps.sh $* || exit 1
+bin/installDeps.sh "$@" || exit 1
 
 #Move to the node folder and start
 echo "Started Etherpad..."
 
 SCRIPTPATH=`pwd -P`
-node "${SCRIPTPATH}/node_modules/ep_etherpad-lite/node/server.js" $*
+node "${SCRIPTPATH}/node_modules/ep_etherpad-lite/node/server.js" "$@"

bin/debugRun.sh

@@ -17,4 +17,4 @@ echo "Open 'chrome://inspect' on Chrome to start debugging."
 
 #Use 0.0.0.0 to allow external connections to the debugger
 #(ex: running Etherpad on a docker container). Use default port # (9229)
-node --inspect=0.0.0.0:9229 node_modules/ep_etherpad-lite/node/server.js $*
+node --inspect=0.0.0.0:9229 node_modules/ep_etherpad-lite/node/server.js "$@"

bin/installDeps.sh

@@ -83,7 +83,7 @@ require_minimal_version "nodejs" "$NODE_VERSION_STRING" "$REQUIRED_NODE_MAJOR" "
 #Get the name of the settings file
 settings="settings.json"
 a='';
-for arg in $*; do
+for arg in "$@"; do
   if [ "$a" = "--settings" ] || [ "$a" = "-s" ]; then settings=$arg; fi
   a=$arg
 done

bin/run.sh

@@ -9,7 +9,7 @@ if [ -d "../bin" ]; then
 fi
 
 ignoreRoot=0
-for ARG in $*
+for ARG in "$@"
 do
   if [ "$ARG" = "--root" ]; then
     ignoreRoot=1
@@ -29,11 +29,11 @@ if [ "$(id -u)" -eq 0 ] && [ $ignoreRoot -eq 0 ]; then
 fi
 
 #Prepare the environment
-bin/installDeps.sh $* || exit 1
+bin/installDeps.sh "$@" || exit 1
 
 #Move to the node folder and start
 echo "Started Etherpad..."
 
 SCRIPTPATH=`pwd -P`
-exec node "$SCRIPTPATH/node_modules/ep_etherpad-lite/node/server.js" $*
+exec node "$SCRIPTPATH/node_modules/ep_etherpad-lite/node/server.js" "$@"
 

docker/README.md → doc/docker.md

@@ -1,79 +1,60 @@
-# Docker image
+# Docker
 
-This directory contains the files that are used to build the official Docker image on https://hub.docker.com/r/etherpad/etherpad.
+The official Docker image is available on https://hub.docker.com/r/etherpad/etherpad.
 
-# Downloading from Docker Hub
+## Downloading from Docker Hub
 If you are ok downloading a [prebuilt image from Docker Hub](https://hub.docker.com/r/etherpad/etherpad), these are the commands:
 ```bash
 # gets the latest published version
 docker pull etherpad/etherpad
 
 # gets a specific version
-docker pull etherpad/etherpad:1.7.5
+docker pull etherpad/etherpad:1.8.0
 ```
 
-# Build a personalized container
+## Build a personalized container
 
 If you want to use a personalized settings file, **you will have to rebuild your image**.
 All of the following instructions are as a member of the `docker` group.
 
-## Rebuilding with custom settings
-Prepare your custom `settings.json` file:
-```bash
-cd <BASEDIR>/docker
-cp ../settings.json.template settings.json
-[ further edit your settings.json as needed]
-```
+### Rebuilding with custom settings
+Edit `<BASEDIR>/settings.json.docker` at your will. When rebuilding the image, this file will be copied inside your image and renamed to `setting.json`.
 
 **Each configuration parameter can also be set via an environment variable**, using the syntax `"${ENV_VAR}"` or `"${ENV_VAR:default_value}"`. For details, refer to `settings.json.template`.
 
-## Rebuilding including some plugins
+### Rebuilding including some plugins
 If you want to install some plugins in your container, it is sufficient to list them in the ETHERPAD_PLUGINS build variable.
 The variable value has to be a space separated, double quoted list of plugin names (see examples).
 
-Some plugins will need personalized settings in the `settings.json` file. Just refer to the previous section, and include them in your custom `settings.json`.
+Some plugins will need personalized settings. Just refer to the previous section, and include them in your custom `settings.json.docker`.
 
-## Examples
+### Examples
 
-Build the latest development version:
+Build a Docker image from the currently checked-out code:
 ```bash
 docker build --tag <YOUR_USERNAME>/etherpad .
 ```
 
-Build the latest stable version:
-```bash
-docker build --build-arg ETHERPAD_VERSION=master --build-arg NODE_ENV=production --tag <YOUR_USERNAME>/etherpad .
-```
-
-Build a specific tagged version:
-```bash
-docker build --build-arg ETHERPAD_VERSION=1.7.5 --build-arg NODE_ENV=production --tag <YOUR_USERNAME>/etherpad .
-```
-
-Build a specific git hash:
-```bash
-docker build --build-arg ETHERPAD_VERSION=4c45ac3cb1ae --tag <YOUR_USERNAME>/etherpad .
-```
-
 Include two plugins in the container:
 ```bash
 docker build --build-arg ETHERPAD_PLUGINS="ep_codepad ep_author_neat" --tag <YOUR_USERNAME>/etherpad .
 ```
 
-# Running your instance:
+## Running your instance:
 
 To run your instance:
 ```bash
-docker run --detach --publish <DESIDERED_PORT>:9001 <YOUR_USERNAME>/etherpad
+docker run --detach --publish <DESIRED_PORT>:9001 <YOUR_USERNAME>/etherpad
 ```
 
-And point your browser to `http://<YOUR_IP>:<DESIDERED_PORT>`
+And point your browser to `http://<YOUR_IP>:<DESIRED_PORT>`
 
-# Options available by default
+## Options available by default
 
-The `settings.json` available by default enables some configuration to be set from the environment.
+The `settings.json.docker` available by default enables some configuration to be set from the environment.
 
 Available options:
+
 * `TITLE`: The name of the instance
 * `FAVICON`: favicon default name, or a fully specified URL to your own favicon
 * `SKIN_NAME`: either `no-skin`, `colibris` or an existing directory under `src/static/skins`.
@@ -90,9 +71,10 @@ Available options:
 * `DB_FILENAME`: in case `DB_TYPE` is `DirtyDB`, the database filename. Default: `var/dirty.db`
 * `ADMIN_PASSWORD`: the password for the `admin` user (leave unspecified if you do not want to create it)
 * `USER_PASSWORD`: the password for the first user `user` (leave unspecified if you do not want to create it)
+* `TRUST_PROXY`: set to `true` if you are using a reverse proxy in front of Etherpad (for example: Traefik for SSL termination via Let's Encrypt). This will affect security and correctness of the logs if not done
 * `LOGLEVEL`: valid values are `DEBUG`, `INFO`, `WARN` and `ERROR`
 
-## Examples
+### Examples
 
 Use a Postgres database, no admin user enabled:
 

doc/index.md

@@ -1,6 +1,7 @@
 @include documentation
 @include stats
 @include localization
+@include docker
 @include skins
 @include api/api
 @include plugins

docker/settings.json → settings.json.docker

@@ -1,3 +1,12 @@
+/**
+ * THIS IS THE SETTINGS FILE THAT IS COPIED INSIDE THE DOCKER CONTAINER.
+ *
+ * By default, some runtime customizations are supported (see the
+ * documentation).
+ *
+ * If you need more control, edit this file and rebuild the container.
+ */
+
 /*
  * This file must be valid JSON. But comments are allowed
  *
@@ -278,8 +287,14 @@
 
   /*
    * When you use NGINX or another proxy/load-balancer set this to true.
+   *
+   * This is especially necessary when the reverse proxy performs SSL
+   * termination, otherwise the cookies will not have the "secure" flag.
+   *
+   * The other effect will be that the logs will contain the real client's IP,
+   * instead of the reverse proxy's IP.
    */
-  "trustProxy": false,
+  "trustProxy": "${TRUST_PROXY:false}",
 
   /*
    * Privacy: disable IP logging

settings.json.template

@@ -290,6 +290,12 @@
 
   /*
    * When you use NGINX or another proxy/load-balancer set this to true.
+   *
+   * This is especially necessary when the reverse proxy performs SSL
+   * termination, otherwise the cookies will not have the "secure" flag.
+   *
+   * The other effect will be that the logs will contain the real client's IP,
+   * instead of the reverse proxy's IP.
    */
   "trustProxy": false,
 

src/locales/ml.json

@@ -8,7 +8,8 @@
 			"Santhosh.thottingal",
 			"Nesi",
 			"Jinoytommanjaly",
-			"Ambadyanands"
+			"Ambadyanands",
+			"Adithyak1997"
 		]
 	},
 	"index.newPad": "പുതിയ പാഡ്",
@@ -93,6 +94,7 @@
 	"pad.chat": "തത്സമയസംവാദം",
 	"pad.chat.title": "ഈ പാഡിന്റെ തത്സമയസംവാദം തുറക്കുക.",
 	"pad.chat.loadmessages": "കൂടുതൽ സന്ദേശങ്ങൾ എടുക്കുക",
+	"pad.chat.writeMessage.placeholder": "താങ്കളുടെ സന്ദേശങ്ങൾ ഇവിടെ കുറിക്കുക",
 	"timeslider.pageTitle": "{{appTitle}} സമയരേഖ",
 	"timeslider.toolbar.returnbutton": "പാഡിലേക്ക് മടങ്ങുക",
 	"timeslider.toolbar.authors": "രചയിതാക്കൾ:",

src/node/hooks/express.js

@@ -76,6 +76,15 @@ exports.restartServer = function () {
     // https://github.com/ether/etherpad-lite/issues/2547
     res.header("X-UA-Compatible", "IE=Edge,chrome=1");
 
+    // Enable a strong referrer policy. Same-origin won't drop Referers when
+    // loading local resources, but it will drop them when loading foreign resources.
+    // It's still a last bastion of referrer security. External URLs should be
+    // already marked with rel="noreferer" and user-generated content pages are already
+    // marked with <meta name="referrer" content="no-referrer">
+    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+    // https://github.com/ether/etherpad-lite/pull/3636
+    res.header("Referrer-Policy", "same-origin");
+
     // send git version in the Server response header if exposeVersion is true.
     if (settings.exposeVersion) {
       res.header("Server", serverName);

src/node/hooks/express/socketio.js

@@ -16,7 +16,28 @@ exports.expressCreateServer = function (hook_name, args, cb) {
   // e.g. XHR is disabled in IE by default, so in IE it should use jsonp-polling
   var io = socketio({
     transports: settings.socketTransportProtocols
-  }).listen(args.server);
+  }).listen(args.server, {
+    /*
+     * Do not set the "io" cookie.
+     *
+     * The "io" cookie is created by socket.io, and its purpose is to offer an
+     * handle to perform load balancing with session stickiness when the library
+     * falls back to long polling or below.
+     *
+     * In Etherpad's case, if an operator needs to load balance, he can use the
+     * "express_sid" cookie, and thus "io" is of no use.
+     *
+     * Moreover, socket.io API does not offer a way of setting the "secure" flag
+     * on it, and thus is a liability.
+     *
+     * Let's simply nuke "io".
+     *
+     * references:
+     *   https://socket.io/docs/using-multiple-nodes/#Sticky-load-balancing
+     *   https://github.com/socketio/socket.io/issues/2276#issuecomment-147184662 (not totally true, actually, see above)
+     */
+    cookie: false,
+  });
 
   /* Require an express session cookie to be present, and load the
    * session. See http://www.danielbaulig.de/socket-ioexpress for more