From 51c675c6fe6195890d86cfdae339d8f0597346e4 Mon Sep 17 00:00:00 2001 From: David Baker Date: Wed, 1 Apr 2020 10:38:49 +0100 Subject: [PATCH 1/6] Give the jitsi wrapper its own external api script --- config.sample.json | 3 +-- docs/config.md | 3 --- package.json | 5 +++-- src/vector/jitsi/index.html | 2 ++ src/vector/jitsi/index.ts | 9 --------- 5 files changed, 6 insertions(+), 16 deletions(-) diff --git a/config.sample.json b/config.sample.json index b8dc2fbb4c..87fc63de03 100644 --- a/config.sample.json +++ b/config.sample.json @@ -53,7 +53,6 @@ "breadcrumbs": true }, "jitsi": { - "preferredDomain": "jitsi.riot.im", - "externalApiUrl": "https://jitsi.riot.im/libs/external_api.min.js" + "preferredDomain": "jitsi.riot.im" } } diff --git a/docs/config.md b/docs/config.md index 40e71361bb..1471faf9a4 100644 --- a/docs/config.md +++ b/docs/config.md @@ -88,9 +88,6 @@ For a good example, see https://riot.im/develop/config.json. 1. `preferredDomain`: The domain name of the preferred Jitsi instance. Defaults to `jitsi.riot.im`. This is used whenever a user clicks on the voice/video call buttons - integration managers may use a different domain. - 1. `externalApiUrl`: The URL to the Jitsi Meet API script. This is required - for showing any Jitsi widgets, no matter the source. Defaults to - `https://jitsi.riot.im/libs/external_api.min.js`. Note that `index.html` also has an og:image meta tag that is set to an image hosted on riot.im. This is the image used if links to your copy of Riot diff --git a/package.json b/package.json index 496c2a31f2..1de6446ef1 100644 --- a/package.json +++ b/package.json @@ -38,8 +38,9 @@ "clean": "rimraf lib webapp electron_app/dist", "build": "yarn clean && yarn build:genfiles && yarn build:compile && yarn build:types && yarn build:bundle", "build-stats": "yarn clean && yarn build:genfiles && yarn build:compile && yarn build:types && yarn build:bundle-stats", + "build:jitsi": "curl -s https://jitsi.riot.im/libs/external_api.min.js > ./webapp/jitsi_external_api.min.js", "build:res": "node scripts/copy-res.js", - "build:genfiles": "yarn reskindex && yarn build:res", + "build:genfiles": "yarn reskindex && yarn build:res && yarn build:jitsi", "build:modernizr": "modernizr -c .modernizr.json -d src/vector/modernizr.js", "build:compile": "babel -d lib --verbose --extensions \".ts,.js,.tsx\" src", "build:bundle": "cross-env NODE_ENV=production webpack -p --progress --bail --mode production", @@ -52,7 +53,7 @@ "install:electron": "electron-builder install-app-deps", "dist": "scripts/package.sh", "start": "concurrently --kill-others-on-fail --prefix \"{time} [{name}]\" -n reskindex,reskindex-react,res,riot-js \"yarn reskindex:watch\" \"yarn reskindex:watch-react\" \"yarn start:res\" \"yarn start:js\"", - "start:res": "node scripts/copy-res.js -w", + "start:res": "yarn build:jitsi && node scripts/copy-res.js -w", "start:js": "webpack-dev-server --host=0.0.0.0 --output-filename=bundles/_dev_/[name].js --output-chunk-filename=bundles/_dev_/[name].js -w --progress --mode development", "electron": "yarn build && yarn install:electron && electron .", "lint": "yarn lint:types && yarn lint:ts && yarn lint:js && yarn lint:style", diff --git a/src/vector/jitsi/index.html b/src/vector/jitsi/index.html index 58184e0a5d..b9fc950e15 100644 --- a/src/vector/jitsi/index.html +++ b/src/vector/jitsi/index.html @@ -15,5 +15,7 @@ + + diff --git a/src/vector/jitsi/index.ts b/src/vector/jitsi/index.ts index 75b017a269..1108e70c18 100644 --- a/src/vector/jitsi/index.ts +++ b/src/vector/jitsi/index.ts @@ -52,7 +52,6 @@ let widgetApi: WidgetApi; // Set this up as early as possible because Riot will be hitting it almost immediately. widgetApi = new WidgetApi(qsParam('parentUrl'), qsParam('widgetId'), [ Capability.AlwaysOnScreen, - Capability.GetRiotWebConfig, ]); widgetApi.expectingExplicitReady = true; @@ -66,14 +65,6 @@ let widgetApi: WidgetApi; await widgetApi.waitReady(); await widgetApi.setAlwaysOnScreen(false); // start off as detachable from the screen - const riotConfig = await widgetApi.getRiotConfig(); - - // Get the Jitsi Meet API loaded up as fast as possible, but ensure that the widget's postMessage - // receiver (WidgetApi) is up and running first. - const scriptTag = document.createElement("script"); - scriptTag.src = riotConfig['jitsi']['externalApiUrl']; - document.body.appendChild(scriptTag); - // TODO: register widgetApi listeners for PTT controls (https://github.com/vector-im/riot-web/issues/12795) document.getElementById("joinButton").onclick = () => joinConference(); From 24fe98a78cb9bf58d151673fc62422b11c042a30 Mon Sep 17 00:00:00 2001 From: David Baker Date: Wed, 1 Apr 2020 11:08:53 +0100 Subject: [PATCH 2/6] Make widget API use optional So we can work when popped out into a browser --- src/vector/jitsi/index.ts | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/src/vector/jitsi/index.ts b/src/vector/jitsi/index.ts index 1108e70c18..8150a39994 100644 --- a/src/vector/jitsi/index.ts +++ b/src/vector/jitsi/index.ts @@ -49,11 +49,19 @@ let widgetApi: WidgetApi; return query[name]; }; + // If we have these params, expect a widget API to be available (ie. to be in an iframe + // inside a matrix client). Otherwise, assume we're on our own, eg. have been popped + // out into a browser. + const parentUrl = qsParam('parentUrl', true); + const widgetId = qsParam('widgetId', true); + // Set this up as early as possible because Riot will be hitting it almost immediately. - widgetApi = new WidgetApi(qsParam('parentUrl'), qsParam('widgetId'), [ - Capability.AlwaysOnScreen, - ]); - widgetApi.expectingExplicitReady = true; + if (parentUrl && widgetId) { + widgetApi = new WidgetApi(qsParam('parentUrl'), qsParam('widgetId'), [ + Capability.AlwaysOnScreen, + ]); + widgetApi.expectingExplicitReady = true; + } // Populate the Jitsi params now jitsiDomain = qsParam('conferenceDomain'); @@ -62,8 +70,10 @@ let widgetApi: WidgetApi; avatarUrl = qsParam('avatarUrl', true); // http not mxc userId = qsParam('userId'); - await widgetApi.waitReady(); - await widgetApi.setAlwaysOnScreen(false); // start off as detachable from the screen + if (widgetApi) { + await widgetApi.waitReady(); + await widgetApi.setAlwaysOnScreen(false); // start off as detachable from the screen + } // TODO: register widgetApi listeners for PTT controls (https://github.com/vector-im/riot-web/issues/12795) @@ -85,7 +95,7 @@ function joinConference() { // event handler bound in HTML switchVisibleContainers(); // noinspection JSIgnoredPromiseFromCall - widgetApi.setAlwaysOnScreen(true); // ignored promise because we don't care if it works + if (widgetApi) widgetApi.setAlwaysOnScreen(true); // ignored promise because we don't care if it works const meetApi = new JitsiMeetExternalAPI(jitsiDomain, { width: "100%", @@ -107,7 +117,7 @@ function joinConference() { // event handler bound in HTML switchVisibleContainers(); // noinspection JSIgnoredPromiseFromCall - widgetApi.setAlwaysOnScreen(false); // ignored promise because we don't care if it works + if (widgetApi) widgetApi.setAlwaysOnScreen(false); // ignored promise because we don't care if it works document.getElementById("jitsiContainer").innerHTML = ""; }); From 5f5d46eb117cbad6df3faedb49ac8d32e77762ce Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Wed, 1 Apr 2020 15:08:57 +0100 Subject: [PATCH 3/6] Upgrade matrix-react-sdk to 2.3.1 --- package.json | 2 +- yarn.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index 1de6446ef1..fd48c590df 100644 --- a/package.json +++ b/package.json @@ -69,7 +69,7 @@ "gfm.css": "^1.1.2", "highlight.js": "^9.13.1", "matrix-js-sdk": "5.2.0", - "matrix-react-sdk": "2.3.0", + "matrix-react-sdk": "2.3.1", "olm": "https://packages.matrix.org/npm/olm/olm-3.1.4.tgz", "postcss-easings": "^2.0.0", "prop-types": "^15.7.2", diff --git a/yarn.lock b/yarn.lock index d7f16e50bb..58a465ca9f 100644 --- a/yarn.lock +++ b/yarn.lock @@ -7473,10 +7473,10 @@ matrix-mock-request@^1.2.3: bluebird "^3.5.0" expect "^1.20.2" -matrix-react-sdk@2.3.0: - version "2.3.0" - resolved "https://registry.yarnpkg.com/matrix-react-sdk/-/matrix-react-sdk-2.3.0.tgz#67c50130e2c62dcd48bae684b1d68eae4ff229f4" - integrity sha512-K1+y2Q3XcjRu7jN72JKO2bG8yD0MK8i1tYI8/oafvFJP1HlpphUzF58tQ/EAiXs1a4UnsxBV27xvrHOxqzflLQ== +matrix-react-sdk@2.3.1: + version "2.3.1" + resolved "https://registry.yarnpkg.com/matrix-react-sdk/-/matrix-react-sdk-2.3.1.tgz#76ac6f98dfa89d4ceb7c63b31e10b9779bca12fe" + integrity sha512-TIiiEIUa891eTdRFCaj18sAFJULBDgbFOvV4upaED/aNXxnHOLV5JjNuYzsmQMEJ6Fmrz5iM0DbWXaADnuZwpQ== dependencies: "@babel/runtime" "^7.8.3" blueimp-canvas-to-blob "^3.5.0" From 97586aa5c363bc3dedce37378d9dfc03f3cf9174 Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Wed, 1 Apr 2020 15:10:52 +0100 Subject: [PATCH 4/6] v1.5.15 --- electron_app/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/electron_app/package.json b/electron_app/package.json index 4e014c9633..390b61d8d3 100644 --- a/electron_app/package.json +++ b/electron_app/package.json @@ -2,7 +2,7 @@ "name": "riot-web", "productName": "Riot", "main": "src/electron-main.js", - "version": "1.5.14", + "version": "1.5.15", "description": "A feature-rich client for Matrix.org", "author": "New Vector Ltd.", "dependencies": { From 7fb6c1e1179d138a3af70361ffc28bf9a49c12cb Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Wed, 1 Apr 2020 15:28:24 +0100 Subject: [PATCH 5/6] Prepare changelog for v1.5.15 --- CHANGELOG.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 02d5492afb..a5bc6cda88 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,19 @@ +Changes in [1.5.15](https://github.com/vector-im/riot-web/releases/tag/v1.5.15) (2020-04-01) +============================================================================================ +[Full Changelog](https://github.com/vector-im/riot-web/compare/v1.5.14...v1.5.15) + +## Security notice + +The `jitsi.html` widget wrapper introduced in Riot 1.5.14 could be used to extract user data by tricking the user into adding a custom widget or opening a link in the browser used to run Riot. Jitsi widgets created through Riot UI do not pose a risk and do not need to be recreated. + +It is important to purge any copies of Riot 1.5.14 so that the vulnerable `jitsi.html` wrapper from that version is no longer accessible. + +## All changes + + * Upgrade React SDK to 2.3.1 for Jitsi fixes + * Fix popout support for jitsi widgets + [\#12980](https://github.com/vector-im/riot-web/pull/12980) + Changes in [1.5.14](https://github.com/vector-im/riot-web/releases/tag/v1.5.14) (2020-03-30) ============================================================================================ [Full Changelog](https://github.com/vector-im/riot-web/compare/v1.5.14-rc.1...v1.5.14) From 0cfdc7b66ae1c289465e9095f595e3106fa18b10 Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Wed, 1 Apr 2020 15:28:24 +0100 Subject: [PATCH 6/6] v1.5.15 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index fd48c590df..c323431f3b 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,7 @@ "name": "riot-web", "productName": "Riot", "main": "electron_app/src/electron-main.js", - "version": "1.5.14", + "version": "1.5.15", "description": "A feature-rich client for Matrix.org", "author": "New Vector Ltd.", "repository": {