mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-24 20:14:35 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Remove PDF export

Browse source 
As we already decleared in earlier versions, this patch removes PDF
export entirely. It's a not acceptable security risk for every CodiMD
instance.

The current implementation allowed to extract arbitary files from the
CodiMD host and therefore leaking secrets from a `/etc/passwd` to
CodiMD's own config files and all secrets contained in it.

Thanks to Joona for finding this vulnerability in August last year,
which lead to an emergency disabling of PDF exports in 1.5.0.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2020-02-26 14:52:55 +01:00
parent 37923d11f8
commit a2522888b2
No known key found for this signature in database
GPG key ID: C9B1C80737B9CE18
18 changed files with 5 additions and 99 deletions
Download patch file Download diff file Expand all files Collapse all files

3
docs/dev/api.md
View file

@ -5,7 +5,7 @@ For code-autogeneration there is an OpenAPIv3-compatible description available [
## Notes
These endpoints create notes, return information about them or export them.
You have to replace _\<NOTE\>_ with either the alias or id of a note you want to work on.
You have to replace _\<NOTE\>_ with either the alias or id of a note you want to work on.
| Endpoint | HTTP-Method | Description |
|---|---|---|
@ -13,7 +13,6 @@ You have to replace _\<NOTE\>_ with either the alias or id of a note you want to
| `/new` | `POST` | **Imports some markdown data into a new note.**<br>A random id will be assigned and the content will equal to the body of the received HTTP-request. The `Content-Type: text/markdown` header should be set on this request. |
| `/new/<ALIAS>` | `POST` | **Imports some markdown data into a new note with a given alias.**<br>This endpoint equals to the above one except that the alias from the url will be assigned to the note if [FreeURL-mode](../configuration-env-vars.md#users-and-privileges) is enabled. |
| `/<NOTE>/download` or `/s/<SHORT-ID>/download` | `GET` | **Returns the raw markdown content of a note.** |
| `/<NOTE>/pdf` | `GET` | **Returns a generated pdf version of the note.**<br>If pdf-support is disabled, a HTTP 403 will be returned.<br>_Please note: Currently pdf export is disabled generally because of a security problem with it._ |
| `/<NOTE>/publish` | `GET` | **Redirects to the published version of the note.** |
| `/<NOTE>/slide` | `GET` | **Redirects to the slide-presentation of the note.**<br>This is only useful on notes which are designed to be slides. |
| `/<NOTE>/info` | `GET` | **Returns metadata about the note.**<br>This includes the title and description of the note as well as the creation date and viewcount. The data is returned as a JSON object. |