1.8.17

Security fixes

• Fixed a vunlerability in the CHANGESET_REQ message handler that allowed a user with any access to read any pad if the pad ID is known.

Notable enhancements and fixes

• Fixed a bug that caused all pad edit messages received at the server to go through a single queue. Now there is a separate queue per pad as intended, which should reduce message processing latency when many pads are active at the same time.

1.8.16

Security fixes

This release includes fixes for GHSA-w3g3-qf3g-2mqc (CVE-2021-43802).

If you cannot upgrade to v1.8.16 for some reason, you are encouraged to try cherry-picking the fixes to the version you are running:

git cherry-pick b7065eb9a0ec..77bcb507b30e

• Maliciously crafted .etherpad files can no longer overwrite arbitrary non-pad database records when imported.
• Imported .etherpad files are now subject to numerous consistency checks before any records are written to the database. This should help avoid denial-of-service attacks via imports of malformed .etherpad files.

Notable enhancements and fixes

• Fixed several .etherpad import bugs.
• Improved support for large .etherpad imports.

1.8.15

Security fixes

• Fixed leak of the writable pad ID when exporting from the pad's read-only ID. This only matters if you treat the writeable pad IDs as secret (e.g., you are not using ep_padlist2) and you share the pad's read-only ID with untrusted users. Instead of treating writeable pad IDs as secret, you are encouraged to take advantage of Etherpad's authentication and authorization mechanisms (e.g., use ep_openid_connect with ep_readonly_guest, or write your own authentication and authorization plugins).
• Updated dependencies.

Compatibility changes

• The logconfig setting is deprecated.

For plugin authors

• Etherpad now uses jsdom instead of cheerio for processing HTML imports. There are two consequences of this change:
  • require('ep_etherpad-lite/node_modules/cheerio') no longer works. To fix, your plugin should directly depend on cheerio and do require('cheerio').
  • The collectContentImage hook's node context property is now an HTMLImageElement object rather than a Cheerio Node-like object, so the API is slightly different. See citizenos/ep_image_upload#49 for an example fix.
• The clientReady server-side hook is deprecated; use the new userJoin hook instead.
• The init_<pluginName> server-side hooks are now run every time Etherpad starts up, not just the first time after the named plugin is installed.
• The userLeave server-side hook's context properties have changed:
  • auth: Deprecated.
  • author: Deprecated; use the new authorId property instead.
  • readonly: Deprecated; use the new readOnly property instead.
  • rev: Deprecated.
• Changes to the src/static/js/Changeset.js library:
  • opIterator(): The unused start index parameter has been removed, as has the unused lastIndex() method on the returned object.
  • smartOpAssembler(): The returned object's appendOpWithText() method is deprecated without a replacement available to plugins (if you need one, let us know and we can make the private opsFromText() function public).
  • Several functions that should have never been public are no longer exported: applyZip(), assert(), clearOp(), cloneOp(), copyOp(), error(), followAttributes(), opString(), stringOp(), textLinesMutator(), toBaseTen(), toSplices().

Notable enhancements and fixes

• Accessibility fix for JAWS screen readers.
• Fixed "clear authorship" error (see issue #5128).
• Etherpad now considers square brackets to be valid URL characters.
• The server no longer crashes if an exception is thrown while processing a message from a client.
• The useMonospaceFontGlobal setting now works (thanks @Lastpixl!).
• Chat improvements:
  • The message input field is now a text area, allowing multi-line messages (use shift-enter to insert a newline).
  • Whitespace in chat messages is now preserved.
• Docker improvements:
  • New HEALTHCHECK instruction (thanks @Gared!).
  • New settings.json variables: DB_COLLECTION, DB_URL, SOCKETIO_MAX_HTTP_BUFFER_SIZE, DUMP_ON_UNCLEAN_EXIT (thanks @JustAnotherArchivist!).
  • .ep_initialized files are no longer created.
• Worked around a Firefox Content Security Policy bug that caused CSP failures when 'self' was in the CSP header. See issue #4975 for details.
• UeberDB upgraded from v1.4.10 to v1.4.18. For details, see the ueberDB changelog. Highlights:
  • The postgrespool driver was renamed to postgres, replacing the old driver of that name. If you used the old postgres driver, you may see an increase in the number of database connections.
  • For postgres, you can now set the dbSettings value in settings.json to a connection string (e.g., "postgres://user:password@host/dbname") instead of an object.
  • For mongodb, the dbName setting was renamed to database (but dbName still works for backwards compatibility) and is now optional (if unset, the database name in url is used).
• /admin/settings now honors the --settings command-line argument.
• Fixed "Author X tried to submit changes as author Y" detection.
• Error message display improvements.
• Simplified pad reload after importing an .etherpad file.

For plugin authors

• clientVars was added to the context for the postAceInit client-side hook. Plugins should use this instead of the clientVars global variable.
• New userJoin server-side hook.
• The userLeave server-side hook has a new socket context property.
• The helper.aNewPad() function (accessible to client-side tests) now accepts hook functions to inject when opening a pad. This can be used to test any new client-side hooks your plugin provides.
• Chat improvements:
  • The chatNewMessage client-side hook context has new properties:
    • message: Provides access to the raw message object so that plugins can see the original unprocessed message text and any added metadata.
    • rendered: Allows plugins to completely override how the message is rendered in the UI.
  • New chatSendMessage client-side hook that enables plugins to process the text before sending it to the server or augment the message object with custom metadata.
  • New chatNewMessage server-side hook to process new chat messages before they are saved to the database and relayed to users.
• Readability improvements to browser-side error stack traces.
• Added support for socket.io message acknowledgments.

1.8.14

1.8.14

Security fixes

• Fixed a persistent XSS vulnerability in the Chat component. In case you can't update to 1.8.14 directly, we strongly recommend to cherry-pick a796811. Thanks to sonarsource for the professional disclosure.

Compatibility changes

• Node.js v12.13.0 or later is now required.
• The favicon setting is now interpreted as a pathname to a favicon file, not a URL. Please see the documentation comment in settings.json.template.
• The undocumented faviconPad and faviconTimeslider settings have been removed.
• MySQL/MariaDB now uses connection pooling, which means you will see up to 10 connections to the MySQL/MariaDB server (by default) instead of 1. This might cause Etherpad to crash with a "ER_CON_COUNT_ERROR: Too many connections" error if your server is configured with a low connection limit.
• Changes to environment variable substitution in settings.json (see the documentation comments in settings.json.template for details):
• An environment variable set to the string "null" now becomes null instead of the string "null". Similarly, if the environment variable is unset and the default value is "null" (e.g., "${UNSET_VAR:null}"), the value now becomes null instead of the string "null". It is no longer possible to produce the string "null" via environment variable substitution.
• An environment variable set to the string "undefined" now causes the setting to be removed instead of set to the string "undefined". Similarly, if the environment variable is unset and the default value is "undefined" (e.g., "${UNSET_VAR:undefined}"), the setting is now removed instead of set to the string "undefined". It is no longer possible to produce the string "undefined" via environment variable substitution.
• Support for unset variables without a default value is now deprecated. Please change all instances of "${FOO}" in your settings.json to ${FOO:null} to keep the current behavior.
• The DB_* variable substitutions in settings.json.docker that previously defaulted to null now default to "undefined".
• Calling next without argument when using Changeset.opIterator does always return a new Op. See b9753dc for details.

Notable enhancements and fixes

• MySQL/MariaDB now uses connection pooling, which should improve stability and reduce latency.
• Bulk database writes are now retried individually on write failure.
• Minify: Avoid crash due to unhandled Promise rejection if stat fails.
• padIds are now included in /socket.io query string, e.g. https://video.etherpad.com/socket.io/?padId=AWESOME&EIO=3&transport=websocket&t=...&sid=.... This is useful for directing pads to separate socket.io nodes.
• <script> elements added via aceInitInnerdocbodyHead hook are now executed.
• Fix read only pad access with authentication.
• Await more db writes.
• Disabled wtfnode dump by default.
• Send USER_NEWINFO messages on reconnect.
• Fixed loading in a hidden iframe.
• Fixed a race condition with composition. (Thanks @ingoncalves for an exceptionally detailed analysis and @rhansen for the fix.)

1.8.13

1.8.13

Notable fixes

• Fixed a bug in the safeRun.sh script (#4935)
• Add more endpoints that do not need authentication/authorization (#4921)
• Fixed issue with non-opening device keyboard on smartphones (#4929)
• Add version string to iframe_editor.css to prevent stale cache entry (#4964)

Notable enhancements

• Refactor pad loading (no document.write anymore) (#4960)
• Improve import/export functionality, logging and tests (#4957)
• Refactor CSS manager creation (#4963)
• Better metrics
• Add test for client height (#4965)

Dependencies

• ueberDB2 1.3.2 -> 1.4.4
• express-rate-limit 5.2.5 -> 5.2.6
• etherpad-require-kernel 1.0.9 -> 1.0.11

1.8.12

Special mention: Thanks to Sauce Labs for additional testing tunnels to help us grow! :)

Security patches

• Fixed a regression in v1.8.11 which caused some pad names to cause Etherpad to restart.

Notable fixes

• Fixed a bug in the dirty database driver that sometimes caused Node.js to crash during shutdown and lose buffered database writes.
• Fixed a regression in v1.8.8 that caused "Uncaught TypeError: Cannot read property '0' of undefined" with some plugins (#4885)
• Less warnings in server console for supported element types on import.
• Support Azure and other network share installations by using a more truthful relative path.

Notable enhancements

• Dependency updates
• Various Docker deployment improvements
• Various new translations
• Improvement of rendering of plugin hook list and error message handling

1.8.11

Notable fixes

• Fix server crash issue within PadMessageHandler due to SocketIO handling
• Fix editor issue with drop downs not being visible
• Ensure correct version is passed when loading front end resources
• Ensure underscore and jquery are available in original location for plugin comptability

Notable enhancements

• Improved page load speeds

1.8.10

Security Patches

• Resolve potential ReDoS vulnerability in your project - GHSL-2020-359

Compatibility changes

• JSONP API has been removed in favor of using the mature OpenAPI implementation.
• Node 14 is now required for Docker Deployments

Notable fixes

• Various performance and stability fixes

Notable enhancements

• Improved line number alignment and user experience around line anchors
• Notification to admin console if a plugin is missing during user file import
• Beautiful loading and reconnecting animation
• Additional code quality improvements
• Dependency updates

1.8.9

Notable fixes

• Fixed HTTP 400 error when importing via the UI.
• Fixed "Error: spawn npm ENOENT" crash on startup in Windows.

Notable enhancements

• Removed some unnecessary arrow key handling logic.
• Dependency updates.

1.8.8

Security patches

• EJS has been updated to 3.1.6 to mitigate an Arbitrary Code Injection

Compatibility changes

• Node.js 10.17.0 or newer is now required.

• The bin/ and tests/ directories were moved under src/. Symlinks were
  added at the old locations to hopefully avoid breaking user scripts and other
  tools.

• Dependencies are now installed with the --no-optional flag to speed
  installation. Optional dependencies such as sqlite3 must now be manually
  installed (e.g., (cd src && npm i sqlite3)).

• Socket.IO messages are now limited to 10K bytes to make denial of service
  attacks more difficult. This may cause issues when pasting large amounts of
  text or with plugins that send large messages (e.g., ep_image_upload). You
  can change the limit via settings.json; see socketIo.maxHttpBufferSize.

• The top-level package.json file, added in v1.8.7, has been removed due to
  problematic npm behavior. Whenever you install a plugin you will see the
  following benign warnings that can be safely ignored:

  npm WARN saveError ENOENT: no such file or directory, open '.../package.json'
  npm WARN enoent ENOENT: no such file or directory, open '.../package.json'
  npm WARN develop No description
  npm WARN develop No repository field.
  npm WARN develop No README data
  npm WARN develop No license field.
  

Notable enhancements

• You can now generate a link to a specific line number in a pad. Appending
  #L10 to a pad URL will cause your browser to scroll down to line 10.
• Database performance is significantly improved.
• Admin UI now has test coverage in CI. (The tests are not enabled by default;
  see settings.json.)
• New stats/metrics: activePads, httpStartTime, lastDisconnected,
  memoryUsageHeap.
• Improved import UX.
• Browser caching improvements.
• Users can now pick absolute white (#fff) as their color.
• The settings.json template used for Docker images has new variables for
  controlling rate limiting.
• Admin UI now has test coverage in CI. (The tests are not enabled by default
  because the admin password is required; see settings.json.)
• For plugin authors:
  • New callAllSerial() function that invokes hook functions like callAll()
    except it supports asynchronous hook functions.
  • callFirst() and aCallFirst() now support the same wide range of hook
    function behaviors that callAll(), aCallAll(), and callAllSerial()
    support. Also, they now warn when a hook function misbehaves.
  • The following server-side hooks now support asynchronous hook functions:
    expressConfigure, expressCreateServer, padCopy, padRemove
  • Backend tests for plugins can now use the
    ep_etherpad-lite/tests/backend/common
    module to start the server and simplify API access.
  • The checkPlugins.js script now automatically adds GitHub CI test coverage
    badges for backend tests and npm publish.

Notable fixes

• Enter key now stays in focus when inserted at bottom of viewport.
• Numbering for ordered list items now properly increments when exported to
  text.
• Suppressed benign socket.io connection errors
• Interface no longer loses color variants on disconnect/reconnect event.
• General code quality is further significantly improved.
• Restarting Etherpad via /admin actions is more robust.
• Improved reliability of server shutdown and restart.
• No longer error if no buttons are visible.
• For plugin authors:
  • Fixed collectContentLineText return value handling.