mirror of
https://github.com/ether/etherpad-lite.git
synced 2026-07-17 16:47:05 +00:00
* security: allow integrator sessionID cookie to be HttpOnly (#7045) The integrator-set sessionID cookie was forced to be non-HttpOnly because Etherpad's own client JS read it via document.cookie and forwarded it in the socket.io CLIENT_READY payload, exposing it to XSS. Mirror the GDPR PR3 author-token migration: read sessionID from the socket.io handshake's Cookie header in PadMessageHandler.handleClientReady, falling back to the legacy message-level field with a one-time deprecation warning per socket. Drop the client-side Cookies.get('sessionID') reads in pad.ts and timeslider.ts so the field is no longer sent by current clients. Existing integrators that set sessionID without HttpOnly keep working unchanged; the field on the message becomes optional and integrators should now mark the cookie HttpOnly; Secure; SameSite=Lax. Closes #7045 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(security): treat undecodable handshake cookies as absent (Qodo #7755) decodeURIComponent() throws URIError on malformed values like `%ZZ`. The unguarded call in PadMessageHandler.handleClientReady's readCookie() let a single bad cookie abort CLIENT_READY for that socket, allowing unauthenticated peers to spam server error logs and lock themselves out of pads. Catch URIError and treat the value as absent so the legacy message-level field still serves as a fallback. Other error classes still propagate. Add a backend test that asserts a `sessionID=%ZZ` cookie no longer aborts the handshake. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| .vitepress | ||
| admin | ||
| api | ||
| assets | ||
| public | ||
| .gitignore | ||
| cli.md | ||
| cookies.adoc | ||
| cookies.md | ||
| database.adoc | ||
| demo.md | ||
| docker.adoc | ||
| docker.md | ||
| documentation.adoc | ||
| documentation.md | ||
| index.adoc | ||
| index.md | ||
| localization.adoc | ||
| localization.md | ||
| npm-trusted-publishing.md | ||
| package.json | ||
| PLUGIN_FEATURE_DISABLES.md | ||
| PLUGIN_FRONTEND_TESTS.md | ||
| plugins.adoc | ||
| plugins.md | ||
| privacy.md | ||
| skins.adoc | ||
| skins.md | ||
| stats.adoc | ||
| stats.md | ||