Commit Graph

2799 Commits

Author SHA1 Message Date
Asher
44c4722edf
Fix data directory path in Dockerfile 2019-12-10 12:06:52 -06:00
Asher
e5fc63f2c8
Fix accessing manifest behind basic auth
Apparently the manifest spec doesn't include sending credentials in an
attempt to be secure by default.

Fixes #1212.
2019-12-09 11:25:59 -06:00
Asher
015a99e87d
Always install VS Code dependencies
This fixes the case where the script is killed before all the
dependencies were fully installed.
2019-12-09 10:55:24 -06:00
Simen Eriksen
884491d72b Update Dockerfile to fix EACCES issue on mount (#1191)
https://github.com/cdr/code-server/issues/1188 
Fixes issue with permissions mounting in directories in the container. Folders are generated by root causing issues when the container user "coder" wants to create sub-folders. This fix solves it, at least on Crostini (ChromeOS)
2019-12-05 13:38:03 -06:00
Asher
e14362f322
Pass along Node options 2019-11-14 17:20:23 -06:00
Asher
917aa48072
Update enterprise link
Fixes #1172.
2019-11-14 11:16:08 -06:00
Asher
938c6ef829
Update fail2ban configuration
Fixes #1177.
2019-11-14 11:14:27 -06:00
Sandro
0add01d383 Delete apt lists from final image (#1174) 2019-11-14 11:12:21 -06:00
Asher
2018024810
Hash password
Fixes issues with unexpected characters breaking things when setting the
cookie (like semicolons).

This change as-is does not affect the security of code-server
itself (we've just replaced the static password with a static hash) but
if we were to add a salt in the future it would let us invalidate keys
by rehashing with a new salt which could be handy.
2019-11-07 15:57:57 -06:00
Asher
a1d6bcb8e5
Handle cookies more robustly
If you visit /login/ instead of /login the cookie will be set at /login
instead of / which means the cookie can't be read at the root. It will
redirect to the login page which *can* read the cookie at /login and
redirect back resulting in an infinite loop.

The previous solution relied on setting the cookie at / (any invalid
value works) which then overrode the login page cookie since
parseCookies only kept a single value. So the login page would see the
same cookie the root was seeing and not redirect back. However, that
behavior depends on the cookies being in the right order which I'm not
sure is guaranteed.

This new method tests all available cookies and always sets the cookie
so the root path will be able to read it in case the login page is
seeing a cookie the root can't.

It also goes a step further and explicitly sets the path on the cookie
which fixes the case where there is a permanent misconfiguration
redirecting /login to /login/. Otherwise the cookie would continually be
set on /login only and you'd have another loop. It also means you only
need to delete one cookie to log out.

Lastly add some properties to make the cookies a bit more secure.
2019-11-07 13:36:18 -06:00
ecrode
727ac6483b Clear password when redirecting to login
Should prevent endless redirects when the cookie is set on a different path or domain (like with a dot prefix).
2019-11-07 11:38:10 -06:00
Asher
2c15c09fc0
Add missing telemetry option 2019-11-06 15:47:34 -06:00
Asher
2ad2582cc0
Minor readme updates and fixes 2019-11-05 13:49:18 -06:00
Asher
cee0ac213c
Fix error activating extensions on insecure domains
Doesn't affect Firefox but it does affect other browsers.

Fixes #1136.
2019-11-04 17:10:00 -06:00
Asher
780a673017
Add meta tag to allow full screen app on iOS
Fixes #933.
2019-11-04 16:01:01 -06:00
Asher
af71203955
Fix relaunching during an update 2019-11-01 10:51:23 -05:00
Asher
fc3acfabb2
Fix update check 2019-10-30 17:35:50 -05:00
Asher
3d5db8313a
Add secure domain to requirements 2019-10-30 10:33:07 -05:00
Asher
73cf8f34e3
Fix outgoing scheme transformation
Accidentally used local instead of remote.

Fixes #1127.
2019-10-30 10:32:57 -05:00
dependabot[bot]
766efd6079 Bump mixin-deep from 1.3.1 to 1.3.2 (#1126)
Bumps [mixin-deep](https://github.com/jonschlinkert/mixin-deep) from 1.3.1 to 1.3.2.
- [Release notes](https://github.com/jonschlinkert/mixin-deep/releases)
- [Commits](https://github.com/jonschlinkert/mixin-deep/compare/1.3.1...1.3.2)

Signed-off-by: dependabot[bot] <support@github.com>
2019-10-29 15:20:12 -05:00
Asher
87485948ad
Kill inner process if parent process dies
Fixes #1076.
2019-10-29 14:43:27 -05:00
Asher
7e4a73ce2d
Fix schema matching against vscode-remote
Fixes #1104.
2019-10-29 11:42:28 -05:00
Asher
2f0878d9b7
Revert remote scheme change
It doesn't show in the explorer anymore so there's no point. Also remove
the local scheme transform which is no longer required with the latest
client-side extension implementation.
2019-10-29 11:26:50 -05:00
Marc-André Daigneault
f65c9b23fc Add docker-compose file (#680) 2019-10-29 11:08:01 -05:00
Asher
cd859d117f
Start pushing to latest Docker tag 2019-10-29 11:04:38 -05:00
Asher
e22964915a
Support opening workspaces from command line
Partly addresses #1121.
2019-10-28 16:25:51 -05:00
Asher
197d0b6ca9
Strip internal env vars when spawning the shell
This should fix all those reports of code-server dropping straight to
Node and things like #1121.
2019-10-28 16:08:32 -05:00
Asher
422503ef98
Proxy child exit code when exiting parent process
This fixes code-server exiting with zero on errors.
2019-10-28 14:57:01 -05:00
Asher
ea36345d2c
Allow fetching any resource
Fixes #1118.
2019-10-28 14:29:51 -05:00
Asher
a89d83cbba
Fix other incorrect usages of split 2019-10-28 14:03:13 -05:00
Asher
83ff31b620
Fix passwords that contain =
Fixes #1119.

Apparently `split` does not work the way I'd expect.
2019-10-28 13:47:31 -05:00
Asher
3a9b032c72
Add heartbeat file (#1115)
Fixes #1050.
2019-10-28 09:59:34 -05:00
Asher
f73e9225b4
Remove directory restrictions for /webview/vscode-resource
This makes viewing images work. Fixes #1111.
2019-10-25 15:52:39 -05:00
Asher
168ccb0dfc
Prevent cache changes when patch updates 2019-10-25 13:12:04 -05:00
Asher
58f7f5b769
Properly fix blank --cert flag
See #1109.
2019-10-25 12:04:43 -05:00
Asher
b8e6369fbe
Fix empty --cert not generating self-signed certificate
Fixes #1101.
2019-10-25 11:01:42 -05:00
Asher
d81d5f499f
Remove Cloud Run button
Unfortunately it doesn't allow websockets so it's not working.
2019-10-24 16:45:22 -05:00
Asher
4be178d234
Move Google Cloud button to match Digital Ocean 2019-10-24 16:09:02 -05:00
Ayane Satomi
9c40466b4b Add Google Cloud quick-launch button (#1069) 2019-10-24 16:07:44 -05:00
Asher
95693fb58e
Handle /webview/vscode-resource/file urls
See #1103.
2019-10-24 14:35:25 -05:00
Asher
e7945bea94
Enable password authentication by default
Fixes #1062.
2019-10-24 12:35:26 -05:00
Asher
91f49e1efd
Set SHELL to /bin/bash in Docker
Fixes #1081, fixes #918.
2019-10-23 13:34:00 -05:00
Asher
eea9c1618c
Move client-side extension code out of patch 2019-10-23 13:12:11 -05:00
Asher
f1b38e4e48
Fix out-of-order readme section 2019-10-23 11:54:47 -05:00
Asher
ff99a1d768
Add security section to readme
See #1062.
2019-10-23 11:49:17 -05:00
Asher
7f07b8f66c
Push Docker using Linux build
Instead of doing a separate redundant build. The main problem was that
the files weren't being cached. There is probably a better way of
solving this but this seems to be the simplest for now.
2019-10-22 18:43:21 -05:00
Asher
faae03da6b
Add prerequisites for building 2019-10-22 17:49:43 -05:00
Asher
a6e4f96737
Fix webview html being excluded
Also skip the workbench html since we have our own.
2019-10-22 16:09:27 -05:00
Asher
cc7585bbc2
Port onigasm fix for PHP 2019-10-22 11:39:00 -05:00
Asher
14a0cd3ffd
Remove build files in source
They aren't used in subsequent files and just slow down CI since it has
to extract from the cache and then package the changes.
2019-10-22 11:26:46 -05:00