Commit Graph

1543 Commits

Author SHA1 Message Date
Asher 938c6ef829
Update fail2ban configuration
Fixes #1177.
2019-11-14 11:14:27 -06:00
Sandro 0add01d383 Delete apt lists from final image (#1174) 2019-11-14 11:12:21 -06:00
Asher 2018024810
Hash password
Fixes issues with unexpected characters breaking things when setting the
cookie (like semicolons).

This change as-is does not affect the security of code-server
itself (we've just replaced the static password with a static hash) but
if we were to add a salt in the future it would let us invalidate keys
by rehashing with a new salt which could be handy.
2019-11-07 15:57:57 -06:00
Asher a1d6bcb8e5
Handle cookies more robustly
If you visit /login/ instead of /login the cookie will be set at /login
instead of / which means the cookie can't be read at the root. It will
redirect to the login page which *can* read the cookie at /login and
redirect back resulting in an infinite loop.

The previous solution relied on setting the cookie at / (any invalid
value works) which then overrode the login page cookie since
parseCookies only kept a single value. So the login page would see the
same cookie the root was seeing and not redirect back. However, that
behavior depends on the cookies being in the right order which I'm not
sure is guaranteed.

This new method tests all available cookies and always sets the cookie
so the root path will be able to read it in case the login page is
seeing a cookie the root can't.

It also goes a step further and explicitly sets the path on the cookie
which fixes the case where there is a permanent misconfiguration
redirecting /login to /login/. Otherwise the cookie would continually be
set on /login only and you'd have another loop. It also means you only
need to delete one cookie to log out.

Lastly add some properties to make the cookies a bit more secure.
2019-11-07 13:36:18 -06:00
ecrode 727ac6483b Clear password when redirecting to login
Should prevent endless redirects when the cookie is set on a different path or domain (like with a dot prefix).
2019-11-07 11:38:10 -06:00
Asher 2c15c09fc0
Add missing telemetry option 2019-11-06 15:47:34 -06:00
Asher 2ad2582cc0
Minor readme updates and fixes 2019-11-05 13:49:18 -06:00
Asher cee0ac213c
Fix error activating extensions on insecure domains
Doesn't affect Firefox but it does affect other browsers.

Fixes #1136.
2019-11-04 17:10:00 -06:00
Asher 780a673017
Add meta tag to allow full screen app on iOS
Fixes #933.
2019-11-04 16:01:01 -06:00
Asher af71203955
Fix relaunching during an update 2019-11-01 10:51:23 -05:00
Asher fc3acfabb2
Fix update check 2019-10-30 17:35:50 -05:00
Asher 3d5db8313a
Add secure domain to requirements 2019-10-30 10:33:07 -05:00
Asher 73cf8f34e3
Fix outgoing scheme transformation
Accidentally used local instead of remote.

Fixes #1127.
2019-10-30 10:32:57 -05:00
dependabot[bot] 766efd6079 Bump mixin-deep from 1.3.1 to 1.3.2 (#1126)
Bumps [mixin-deep](https://github.com/jonschlinkert/mixin-deep) from 1.3.1 to 1.3.2.
- [Release notes](https://github.com/jonschlinkert/mixin-deep/releases)
- [Commits](https://github.com/jonschlinkert/mixin-deep/compare/1.3.1...1.3.2)

Signed-off-by: dependabot[bot] <support@github.com>
2019-10-29 15:20:12 -05:00
Asher 87485948ad
Kill inner process if parent process dies
Fixes #1076.
2019-10-29 14:43:27 -05:00
Asher 7e4a73ce2d
Fix schema matching against vscode-remote
Fixes #1104.
2019-10-29 11:42:28 -05:00
Asher 2f0878d9b7
Revert remote scheme change
It doesn't show in the explorer anymore so there's no point. Also remove
the local scheme transform which is no longer required with the latest
client-side extension implementation.
2019-10-29 11:26:50 -05:00
Marc-André Daigneault f65c9b23fc Add docker-compose file (#680) 2019-10-29 11:08:01 -05:00
Asher cd859d117f
Start pushing to latest Docker tag 2019-10-29 11:04:38 -05:00
Asher e22964915a
Support opening workspaces from command line
Partly addresses #1121.
2019-10-28 16:25:51 -05:00
Asher 197d0b6ca9
Strip internal env vars when spawning the shell
This should fix all those reports of code-server dropping straight to
Node and things like #1121.
2019-10-28 16:08:32 -05:00
Asher 422503ef98
Proxy child exit code when exiting parent process
This fixes code-server exiting with zero on errors.
2019-10-28 14:57:01 -05:00
Asher ea36345d2c
Allow fetching any resource
Fixes #1118.
2019-10-28 14:29:51 -05:00
Asher a89d83cbba
Fix other incorrect usages of `split` 2019-10-28 14:03:13 -05:00
Asher 83ff31b620
Fix passwords that contain `=`
Fixes #1119.

Apparently `split` does not work the way I'd expect.
2019-10-28 13:47:31 -05:00
Asher 3a9b032c72
Add heartbeat file (#1115)
Fixes #1050.
2019-10-28 09:59:34 -05:00
Asher f73e9225b4
Remove directory restrictions for /webview/vscode-resource
This makes viewing images work. Fixes #1111.
2019-10-25 15:52:39 -05:00
Asher 168ccb0dfc
Prevent cache changes when patch updates 2019-10-25 13:12:04 -05:00
Asher 58f7f5b769
Properly fix blank --cert flag
See #1109.
2019-10-25 12:04:43 -05:00
Asher b8e6369fbe
Fix empty --cert not generating self-signed certificate
Fixes #1101.
2019-10-25 11:01:42 -05:00
Asher d81d5f499f
Remove Cloud Run button
Unfortunately it doesn't allow websockets so it's not working.
2019-10-24 16:45:22 -05:00
Asher 4be178d234
Move Google Cloud button to match Digital Ocean 2019-10-24 16:09:02 -05:00
Ayane Satomi 9c40466b4b Add Google Cloud quick-launch button (#1069) 2019-10-24 16:07:44 -05:00
Asher 95693fb58e
Handle /webview/vscode-resource/file urls
See #1103.
2019-10-24 14:35:25 -05:00
Asher e7945bea94
Enable password authentication by default
Fixes #1062.
2019-10-24 12:35:26 -05:00
Asher 91f49e1efd
Set SHELL to /bin/bash in Docker
Fixes #1081, fixes #918.
2019-10-23 13:34:00 -05:00
Asher eea9c1618c
Move client-side extension code out of patch 2019-10-23 13:12:11 -05:00
Asher f1b38e4e48
Fix out-of-order readme section 2019-10-23 11:54:47 -05:00
Asher ff99a1d768
Add security section to readme
See #1062.
2019-10-23 11:49:17 -05:00
Asher 7f07b8f66c
Push Docker using Linux build
Instead of doing a separate redundant build. The main problem was that
the files weren't being cached. There is probably a better way of
solving this but this seems to be the simplest for now.
2019-10-22 18:43:21 -05:00
Asher faae03da6b
Add prerequisites for building 2019-10-22 17:49:43 -05:00
Asher a6e4f96737
Fix webview html being excluded
Also skip the workbench html since we have our own.
2019-10-22 16:09:27 -05:00
Asher cc7585bbc2
Port onigasm fix for PHP 2019-10-22 11:39:00 -05:00
Asher 14a0cd3ffd
Remove build files in source
They aren't used in subsequent files and just slow down CI since it has
to extract from the cache and then package the changes.
2019-10-22 11:26:46 -05:00
Asher 3ff83eda45
Ensure VS Code dependencies and built-in extensions exist
Fixes #1087.
2019-10-22 10:49:00 -05:00
Asher f133b00851
Fix darwin detection 2019-10-21 16:51:01 -05:00
Asher ece840834d
Move login page to browser directory
Fixes it not being included in the optimized build as well as making it
more consistent.
2019-10-21 15:02:41 -05:00
Asher 76f6ff4145
Fix alpine check 2019-10-21 14:09:04 -05:00
Asher 2458cde498
Update source & build paths in Dockerfile 2019-10-21 12:25:18 -05:00
Asher 82e2b8a169
Move source to its own directory
This matches how the rest of the build is organized but also hopefully
solves an issue where the VS Code directory is empty because we try to
cache it directly and Travis might be creating it.
2019-10-21 11:16:47 -05:00