Commit graph

5714 commits

Author SHA1 Message Date
Andras Timar
976ce69183 loleaflet: ' Save ' -> 'Save'
Change-Id: I23b24aeda989652b04c1759810b1801b041e0a6b
2017-04-13 12:16:03 +02:00
Miklos Vajna
4269fbbaa4 wsd: remove unused using declarations in LOOLWSD
Change-Id: Id8a7f94cef0ab34fb7d789adff92b9c822af62c2
2017-04-13 10:31:24 +02:00
Ashod Nakashian
ed51fafece wsd: DocBroker is Alive if not flagged to stop
There is a race between creating and adding
a DocBroker into the DocBrokers container
and cleanupDocBrokers is invoked (on timer)
before it had a chance to start its poll
thread. This is exceedingly rare, but it
has happened.

We check that_stop==false flag when deciding
isAlive such that cleanDocBrokers will
not remove it before its thread had
a chance to run (which would happen
after adding it and creating the
ClientSession).

Also, no point in checking isAlive from
the polling thread itself (of course it is
alive).

Change-Id: If54fe2b5fce0697ee0e2f38f1662c71105e29347
Reviewed-on: https://gerrit.libreoffice.org/36500
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Tested-by: Ashod Nakashian <ashnakash@gmail.com>
2017-04-13 05:54:16 +02:00
Henry Castro
1a580cc993 wsd: add mime type image/png
IE11 requires explicit content-type image/png

Change-Id: Ie0a886bc9b6af50be788456a93583176788c5315
2017-04-12 22:11:23 -04:00
Henry Castro
b0c889f2d2 loleaflet: animate the new position of selected annotation
Change-Id: I47af4ac3ec01b03797a03dfcc91ec84f0fd39bb5
2017-04-12 17:24:48 -04:00
Henry Castro
44482615ca loleaflet: update PosAnimation.js file
Change-Id: I38a2643e67d1d341b486c987eb73dc5e5608a7cb
2017-04-12 17:24:48 -04:00
Andras Timar
1aeaf41999 loleaflet: updated pot files
Change-Id: I0a589a07bb5658c7b9b749c7184fa09c2e1a49de
2017-04-12 22:35:09 +02:00
Andras Timar
baa07c0997 loleaflet: src/control/Control.ContextMenu.js contains translatable strings
Change-Id: I4010eb296a1771f0e8fbfa5078b4847193cfc188
Reviewed-on: https://gerrit.libreoffice.org/36491
Reviewed-by: Andras Timar <andras.timar@collabora.com>
Tested-by: Andras Timar <andras.timar@collabora.com>
2017-04-12 22:26:43 +02:00
Jan Holesovsky
ba3b32aad1 Clean the cache even when the document was not modified.
And rename the option, to match better the existing tile cache setting.

Change-Id: Iea5c2c5628a403dd2dc3e2943cd858f40e2a2ebc
2017-04-12 20:04:30 +02:00
Marco Cecchetti
c651a69485 wsd - implemented an option to clean cache on doc close
Change-Id: I0bdb373efb93546527a168df2ed1c75539e95fe4
2017-04-12 19:00:25 +02:00
Jan Holesovsky
7b7c73f8be Align the Accept / Reject buttons with the kebab menu.
And few other improvemnts inluding:

* use svg instead of png for the menu
* add title (caption) for the Accept / Reject change.

Change-Id: Ic7e781d7e93d319f766b387a8eddfa70c1920760
2017-04-12 17:43:49 +02:00
Pranav Kant
699e8df9a7 Use CSP without WOPI host too
Fallback from b7eafb1e4a

Change-Id: I741a3f2320cfeec2250c10913871cf350861a39d
2017-04-12 19:58:19 +05:30
Pranav Kant
b7eafb1e4a Move CSP to response headers from meta tag in html
Some older browsers don't have meta tag support for CSP. Lets put all of
the CSP in response headers to be compatible with oldies.

Change-Id: I7f0d7c294e492b3c69ebea6fbd820d6558b9c3b3
2017-04-12 19:24:51 +05:30
Jan Holesovsky
f5a69785de _initialCenter is now unused.
Change-Id: Ie9442168bc6075574b6d83bf0558b0c4983b2361
2017-04-12 14:39:15 +02:00
Pranav Kant
336ac4d6d1 loleaflet: Grid/selection/caret is sometimes displaced
This is actually not a displaced cursor, but displaced tiles map pane.
It happens when the user refreshes the the document page and
before the document finishes loading, switches to some other tab and
then get back to the document when the document load finishes. In such
circumstances, due to browsers not emitting the 'resize' event (probably
because it didn't have the focus when the map loaded) we return
incorrect/unexpected map center. Because 'resize' event sets this._initialCenter to
null, so map.getCenter() never returns this._initialCenter and instead
return this.layerPointToLatLng(this._getCenterLayerPoint()) which seems
to be the correct thing to return here.

The reason that the displaced cursor is not
observed when user doesn't switch to other tabs is because of the
browsers emitting the 'resize' event before we set the map transforms.
Nevertheless, in some circumstances it is quite possible that this
event, 'resize', is processed after we set the transforms even though
user hasn't switched the tabs but probability of this is very less which
justifies this bug's hard-to-reproduce nature when user doesn't change
the tabs.

Instead of making sure that 'resize' event is triggered before we set
the transforms, removing this block of code that returns unexpected
return value (which we never seem to use anywhere anyhow) seems more
sensible thing to do.

Change-Id: Iff532a902e6100be7f39c204cbf2f28f1a7f6a49
Reviewed-on: https://gerrit.libreoffice.org/36458
Reviewed-by: pranavk <pranavk@collabora.co.uk>
Tested-by: pranavk <pranavk@collabora.co.uk>
2017-04-12 13:53:58 +02:00
Miklos Vajna
4dbdd72bc2 wsd: avoid std::string::compare() in FileServer
When we are just interested in equality. compare() is more meant for
sorting functions where negative/zero/positive return value is useful.

Change-Id: I11138a14dc08e23d33f3848aeb734d9f56f3e9f7
2017-04-12 13:46:09 +02:00
Ashod Nakashian
1752dd74d6 wsd: avoid miscounting outstanding child forks
The number of outstanding child forks can
become negative if more children are
spawned than requested.

This prevents such a scenario from
permanently preventing WSD from spawning
new children, which happens when
OutstandingForks is negative.

Change-Id: Ief1e56d7b4a079e097ca2d18bd90a01d935f6b30
Reviewed-on: https://gerrit.libreoffice.org/36437
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Tested-by: Ashod Nakashian <ashnakash@gmail.com>
2017-04-12 06:11:05 +02:00
Henry Castro
75e06f7687 loleaflet: fix position when adding new annotation
Change-Id: I267df778715cb9f60c1b62c52ed405fd78ade8f9
2017-04-11 20:39:40 -04:00
Miklos Vajna
08989a12ac wsd: avoid use-after-free in ClientSession
Commit 1e1f23716c fixed this already by
introducing by-value parameters, but
8a1f321c84 broke it. Fix this again, this
time more explicitly.

Change-Id: If29250ac2e99855796935b5cc05ccb222f8a4ad5
Reviewed-on: https://gerrit.libreoffice.org/36436
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
Tested-by: Michael Meeks <michael.meeks@collabora.com>
2017-04-11 23:20:08 +02:00
Miklos Vajna
8a1f321c84 DocumentBroker: avoid unnecessary copying
Change-Id: Iaa555ed8e347d0e1712c617839f007d0b4f3204b
2017-04-11 08:54:28 +02:00
Henry Castro
7521e9bb91 loleaflet: add line between the currently selected comment ...
and the associated selection

Change-Id: I58d548f78e9d6594336abed8e77993d2fafe867e
2017-04-10 21:43:42 -04:00
Henry Castro
4db4ecd680 loleaflet: save comment if exists changes
Change-Id: Ided5cc2f60ae14863e6462e400735e291f1b54a5
2017-04-10 20:52:41 -04:00
Pranav Kant
4d6b338bf0 security: Stricter Referrer-Policy: no-referrer
I don't think we should leak our address
(which mostly is behind a WOPI host and end-user
has no idea of what host LibreOffice Online is running at) in the
Referer header. Lets be more strict here and don't leak our address
at all.

Change-Id: Ibc30e9b64e2e06e2e8d541c5f089320ecb11412b
2017-04-11 00:02:00 +05:30
Jan Holesovsky
e0f7c3fc67 Set the _owner even in the release builds.
We are warning about thread affinity even in the non-debug builds.

Change-Id: Ia91170765e9f4a29939dee847899345e9396d2c3
2017-04-10 14:55:04 +02:00
Pranav Kant
1437a060ec security: Implement HTTP Public key pinning
Though this guard the user against MITM attacks, but enabling this also
has the potential to brick your websites. So, do not use it/enable it
without understanding what it actually is.

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning

Though this should work, but I have not been able to test it because of
Firefox and Chrome's limitation/feature that key validation is not done
when certificate chain terminates at a user-defined trust anchor and I
couldn't find any way to temporarily enable the HPKP key validation for
such CA chains.

Change-Id: I64d4ff82b04c59642fa7b8bac2f8788a03950b28
Reviewed-on: https://gerrit.libreoffice.org/36357
Reviewed-by: pranavk <pranavk@collabora.co.uk>
Tested-by: pranavk <pranavk@collabora.co.uk>
2017-04-10 14:46:24 +02:00
Pranav Kant
74020e0f1f Revert "wsd: Fileserver cleanup"
This reverts commit de2bc17c04af088d9c7e18a97216b174494e1a9c.

Lets not introduce any cleanup commits while we are near a release, will
apply it again after the release. The cleanup is supposed to not handle
the custom file server root correctly, so don't forget to test it with
a custom file server root before re-reverting.

It changes the path where loleaflet.html is searched for from
/usr/share/loolwsd/loleaflet/... to /usr/share/loleaflet/...
and doesn't find it there.

Change-Id: I23940e9a3e06721f0a8b7493a526f42d2072cfa4
2017-04-10 15:26:05 +05:30
Pranav Kant
a0d7c33877 security: X-Frame-Options: Deny framing if no wopi host
Change-Id: I6936f8a11e3e076e111e0883305f47064e032983
2017-04-10 15:26:00 +05:30
Miklos Vajna
8958e1c767 wsd: make requestURI a const reference
It's copy-constructed from a const reference but is only used as const
reference.

Change-Id: I9a58561616bcfeff0c45803f3244f8e78d54731a
2017-04-10 10:44:14 +02:00
Ashod Nakashian
55180606f8 loleaflet: reconnect transparently the first time
Don't show the "This is embarrassing" popup before
first trying to reconnect at least once.

In most cases reconnection is successful transparently.

However, if necessary, we could add some delay to
reconnecting to give the server time to recover,
but without good reason for this complication it's
unwarranted. Server-recycling reconnections have
such a delay.

Change-Id: Ic8e32c451429a24f8362431672057145a492a23f
Reviewed-on: https://gerrit.libreoffice.org/36328
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Tested-by: Ashod Nakashian <ashnakash@gmail.com>
2017-04-10 06:12:22 +02:00
Ashod Nakashian
fa2e2869cf wsd: logging cleanups
Change-Id: Ia06bc5b1e0090c8198ac4ba2b88d5e57f8e2b168
Reviewed-on: https://gerrit.libreoffice.org/36327
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Tested-by: Ashod Nakashian <ashnakash@gmail.com>
2017-04-10 06:11:58 +02:00
Ashod Nakashian
9a761ffe68 wsd: clear the incoming buffer before upgrading to WS
There was an interesting race when we cleared the
inBuffer after the WS upgrade. Since during the
upgrade we also transfer the socket to the DocBroker,
which has its own poll thread, the DocBroker poll
could trigger a POLLIN event if data comes
while the handler (that is handling the WS upgrad
and transfer to DocBroker) hasn't got to the point
where it clears the inBuffer of the data we just
read (i.e. the HTTP GET request). Even if not
the case, after transfering a socket to another
poll thread the socket buffers should not be
touched.

Here we move the inBuffer clearing to be as soon
as we have successfully parsed the request and
are ready to process it.

Also, we don't clear the full buffer, in case
we had read into the buffer both the requst
and the first message, if the thread was switched
out right after getting the POLLIN but before
reading from the socket, giving enough time to
receive more data and reading it together with
first read (which is the request).

Change-Id: I9888d4c2b70d2e433824818bbe7f69f13742486c
Reviewed-on: https://gerrit.libreoffice.org/36326
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Tested-by: Ashod Nakashian <ashnakash@gmail.com>
2017-04-10 06:11:06 +02:00
Ashod Nakashian
bc41ad9bf9 wsd: remove outdated comment and simplify
Change-Id: I47e8b22708ab64ad95aa681407344686e6d4eb9d
Reviewed-on: https://gerrit.libreoffice.org/36325
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Tested-by: Ashod Nakashian <ashnakash@gmail.com>
2017-04-10 06:10:30 +02:00
Ashod Nakashian
1312cdc918 wsd: fix testSlideShow to accept larger SVG exports
Change-Id: I29f0fb5b4573a7338e7244f8a1d2f9043223bc57
Reviewed-on: https://gerrit.libreoffice.org/36331
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Tested-by: Ashod Nakashian <ashnakash@gmail.com>
2017-04-10 06:09:48 +02:00
Ashod Nakashian
cdb80e5632 wsd: assert valid socket where it counts
Change-Id: I19faa175066cab4e0435f6a8bf29e6b051c86420
Reviewed-on: https://gerrit.libreoffice.org/36330
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Tested-by: Ashod Nakashian <ashnakash@gmail.com>
2017-04-10 06:09:21 +02:00
Ashod Nakashian
679a39eb0b wsd: send recycling message to clients before going down
Change-Id: I388ca55524983d554fabf247bb3baee23010657d
Reviewed-on: https://gerrit.libreoffice.org/36329
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Tested-by: Ashod Nakashian <ashnakash@gmail.com>
2017-04-10 06:08:59 +02:00
Ashod Nakashian
51aa4a3344 wsd: reset the test start timer before the first assertions
So failing that first assert doesn't give bogus
test duration.

Change-Id: Iaad2e5654e1264bd126193205b5218fd0f6637ef
Reviewed-on: https://gerrit.libreoffice.org/36324
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Tested-by: Ashod Nakashian <ashnakash@gmail.com>
2017-04-10 06:08:22 +02:00
Ashod Nakashian
0dab4b597d wsd: return the actual number of bytes written to WS
Change-Id: Ib28c432927733ffd437d27dec749d402d25b9024
Reviewed-on: https://gerrit.libreoffice.org/36323
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Tested-by: Ashod Nakashian <ashnakash@gmail.com>
2017-04-10 06:07:59 +02:00
Ashod Nakashian
e00817acf6 wsd: fix pinging and add logs
Apparently pinging was enabled only when
_not_ WebSocket upgraded, which is wrong.

Removed sending ping immediately after
upgrading to WS as it's superfluous.

Change-Id: Ic8103bab063d87f58d371f0eab49f7b7530e2374
Reviewed-on: https://gerrit.libreoffice.org/36322
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Tested-by: Ashod Nakashian <ashnakash@gmail.com>
2017-04-10 06:07:25 +02:00
Ashod Nakashian
2ad3cd4de1 wsd: don't call virtuals in dtors
Change-Id: I2490e2f63dc20cf6b3fa0be45341b041e3ccb1bf
Reviewed-on: https://gerrit.libreoffice.org/36321
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Tested-by: Ashod Nakashian <ashnakash@gmail.com>
2017-04-10 06:06:27 +02:00
Pranav Kant
1ca873d57e security: X-XSS-Protection header
Change-Id: I050cba3ad8aeedaefa773d78254a3a37a7ddef30
2017-04-09 23:32:06 +05:30
Pranav Kant
61b7112aa7 security: X-Content-Type-Options: nosniff
Don't think it is necessary/useful to have this header at other places.
This is the most important and perhaps the only where presence of this
header is required and seems sensible to prevent potential attacks.

Change-Id: Iad318e4b83264ac83620b86a40a49e7384e4015e
2017-04-09 23:32:06 +05:30
Pranav Kant
49bd32c630 security: CORS: No need for this header
No idea why it was here in the first place, but download requests are
only made from frames with same origin, so there should be no need to
specify such headers which allow anyone (with other origins) to make
download requests to us.

Change-Id: I314a7ad4c6df8664b1d191cb88ae42c4248ff517
2017-04-09 23:32:06 +05:30
Pranav Kant
63631dff24 security: CSP: add frame-src 'self'
We need to be able to create iframes sometimes with same origin as ours,
eg: when loading the 'loading' page during slideshow or downloading the
file (in different formats). The 'blob:' is only used for printing
purposes.

Change-Id: I93666ee45e707997969e151af5142efeeca0d177
2017-04-09 23:32:06 +05:30
Pranav Kant
32dde923f7 security: CORS: No need to allow requests from anywhere
insertfile post requests should be made only from our origin.
Mentioning a '*' against allow-access-allow-origin allows other origins
to be able to make requests to insertfile too provided the attacker
knows the doc key which is not very hard to guess/get.

Change-Id: If98351df48935cfcdc18d6879167c0ac6089796c
2017-04-09 23:32:06 +05:30
Pranav Kant
df8ac5f33e wsd: Only set these headers if its WOPI
Change-Id: I1ccedc9828a724b55f8642aaa2b934c37f49a4dd
2017-04-09 23:32:06 +05:30
Michael Meeks
36900f7d78 Clear display to avoid potential problems.
Running --nocaps under massif; it is unexpected to see
fire_glxtest_process doing heavy lifting glx work.
2017-04-08 13:32:00 +01:00
Michael Meeks
9ea75f974c Re-allocate vector storage to compressed size. 2017-04-07 22:33:01 +01:00
Michael Meeks
254de88a58 Clear ownership of socket while it is being transferred.
This addresses a gap between ServerSocket accepting new sockets,
and their being added to their new polls.
2017-04-07 20:59:34 +01:00
Andras Timar
04c9ea3176 Missing loolwsd.service.
Change-Id: I0fe48717dea734482d3d06ea91f7c5e594081851
2017-04-07 16:43:32 +02:00
Andras Timar
d0e6c1115b missing loolwsd.service from deb package
(cherry picked from commit fe62f43eb6622118c4f507b72234757b25d466f4)
2017-04-07 16:39:32 +02:00