From f1151f58924885abe44d4e70d5c61dc231eb1260 Mon Sep 17 00:00:00 2001 From: John McLear Date: Thu, 7 May 2026 09:15:10 +0100 Subject: [PATCH 1/2] fix(7686): legacy padOptions.userName/userColor=false breaks pad MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Settings.json files generated before December 2021 used `false` as the default for these two string options (commit 8c857a85a switched the template default to `null` and noted "this change has no effect due to a bug in how pad options are processed; that bug will be fixed in a future commit" — the follow-up never landed). pad.ts:getParams() then runs `false.toString()`, the resulting string "false" passes the `!== false` sentinel check at _afterHandshake, and notifyChangeName ships USERINFO_UPDATE with name="false" and colorId="false" (clobbered via clientVars.userColor). The server's hex regex rejects the colour and throws `malformed color: false`; the user sees their name as "false" and a white swatch. Defense in depth: - Server: Settings.ts::reloadSettings() coerces legacy boolean false to null for padOptions.userName / padOptions.userColor and warns the operator, matching the existing disableIPlogging shim pattern. - Client: the pad.ts userName / userColor callbacks reject the literal "false" string so URL params (?userName=false) and any other path that surfaces the sentinel as a string are also no-ops. - Backend regression test mirrors the shim and asserts it normalizes legacy false, leaves explicit values intact, leaves null untouched, does not coerce other padOptions keys, and does not coerce the string "false" (that path is the client guard's responsibility). Closes #7686 Co-Authored-By: Claude Opus 4.7 (1M context) --- src/node/utils/Settings.ts | 18 +++++ src/static/js/pad.ts | 9 +++ .../backend/specs/padOptionsLegacyDefaults.ts | 76 +++++++++++++++++++ 3 files changed, 103 insertions(+) create mode 100644 src/tests/backend/specs/padOptionsLegacyDefaults.ts diff --git a/src/node/utils/Settings.ts b/src/node/utils/Settings.ts index 71bb4dd1e7d..1baedda4081 100644 --- a/src/node/utils/Settings.ts +++ b/src/node/utils/Settings.ts @@ -1087,6 +1087,24 @@ export const reloadSettings = () => { settings.privacyBanner.dismissal = 'dismissible'; } + // Settings.json files generated before December 2021 used `false` as the + // default for these string options. The client treats the boolean `false` + // as a sentinel meaning "no enforced value", but the dispatch in + // pad.ts:getParams() coerces the boolean to the string "false" before + // applying it, which then propagates as the user's name and color and + // triggers `malformed color: false` on the server (#7686). Normalize + // legacy booleans to null at the boundary so downstream code sees the + // expected sentinel. + for (const key of ['userName', 'userColor'] as const) { + if ((settings.padOptions as any)[key] === false) { + logger.warn( + `padOptions.${key}=false is a legacy default (pre-2021) and is ` + + `now treated as null. Update settings.json to use null instead ` + + `to silence this warning.`); + (settings.padOptions as any)[key] = null; + } + } + // Init logging config settings.logconfig = defaultLogConfig( settings.loglevel ? settings.loglevel : defaultLogLevel, diff --git a/src/static/js/pad.ts b/src/static/js/pad.ts index 72364c26149..12406197ecf 100644 --- a/src/static/js/pad.ts +++ b/src/static/js/pad.ts @@ -136,6 +136,14 @@ const getParameters = [ name: 'userName', checkVal: null, callback: (val) => { + // The default for globalUserName/globalUserColor is the boolean `false` + // (sentinel meaning "no enforced value"). Older settings.json files used + // boolean `false` for these options too, which getParams() coerces to + // the string "false" — that fooled the !== false sentinel checks at + // _afterHandshake and shipped the literal string "false" as the user's + // name and color (#7686). Reject the sentinel string here so URL + // parameters like ?userName=false also no-op. + if (!val || val === 'false') return; settings.globalUserName = val; clientVars.userName = val; }, @@ -144,6 +152,7 @@ const getParameters = [ name: 'userColor', checkVal: null, callback: (val) => { + if (!val || val === 'false') return; settings.globalUserColor = val; clientVars.userColor = val; }, diff --git a/src/tests/backend/specs/padOptionsLegacyDefaults.ts b/src/tests/backend/specs/padOptionsLegacyDefaults.ts new file mode 100644 index 00000000000..caba9528514 --- /dev/null +++ b/src/tests/backend/specs/padOptionsLegacyDefaults.ts @@ -0,0 +1,76 @@ +'use strict'; + +import {strict as assert} from 'assert'; + +describe(__filename, function () { + // Replicates the shim block from Settings.ts::reloadSettings so we can + // assert the mapping without rebooting the whole server in this spec. + // Keep this in lockstep with the production block — if you change the + // shim there, change it here too. + const applyShim = (padOptions: Record) => { + for (const key of ['userName', 'userColor']) { + if (padOptions[key] === false) padOptions[key] = null; + } + return padOptions; + }; + + describe('legacy padOptions.userName/userColor=false → null shim', function () { + it('coerces userName=false to null', function () { + const out = applyShim({userName: false}); + assert.strictEqual(out.userName, null); + }); + + it('coerces userColor=false to null', function () { + const out = applyShim({userColor: false}); + assert.strictEqual(out.userColor, null); + }); + + it('coerces both legacy defaults in one pass', function () { + const out = applyShim({userName: false, userColor: false}); + assert.strictEqual(out.userName, null); + assert.strictEqual(out.userColor, null); + }); + + it('leaves an explicit string userName intact', function () { + const out = applyShim({userName: 'Etherpad User'}); + assert.strictEqual(out.userName, 'Etherpad User'); + }); + + it('leaves an explicit hex userColor intact', function () { + const out = applyShim({userColor: '#ff9900'}); + assert.strictEqual(out.userColor, '#ff9900'); + }); + + it('leaves null values untouched', function () { + const out = applyShim({userName: null, userColor: null}); + assert.strictEqual(out.userName, null); + assert.strictEqual(out.userColor, null); + }); + + it('does not affect other padOptions keys that legitimately use false', function () { + // showChat:false, rtl:false, etc. are real, meaningful values — only + // the two string options carry the legacy boolean sentinel. + const out = applyShim({ + userName: false, + userColor: false, + showChat: false, + rtl: false, + useMonospaceFont: false, + }); + assert.strictEqual(out.userName, null); + assert.strictEqual(out.userColor, null); + assert.strictEqual(out.showChat, false); + assert.strictEqual(out.rtl, false); + assert.strictEqual(out.useMonospaceFont, false); + }); + + it('does not coerce the string "false" — that is handled in the client guard', function () { + // The server-side shim only normalizes the boolean sentinel from + // legacy settings.json. URL-supplied or stringified "false" is + // rejected by pad.ts::getParameters.userName/userColor callbacks. + const out = applyShim({userName: 'false', userColor: 'false'}); + assert.strictEqual(out.userName, 'false'); + assert.strictEqual(out.userColor, 'false'); + }); + }); +}); From 2f875af9fb0659d675e28110a86ecb1bfe20463b Mon Sep 17 00:00:00 2001 From: John McLear Date: Thu, 7 May 2026 09:24:15 +0100 Subject: [PATCH 2/2] fix(7686): guard padOptions shim against non-object config (Qodo) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Qodo flagged that storeSettings() will overwrite settings.padOptions raw with whatever settings.json supplies — including null, primitives, or arrays — which would make the new userName/userColor shim crash on property access. Add a shape guard so the shim is a no-op for malformed padOptions, and extend the regression test to cover null / primitive / array shapes. This doesn't change which configs work (Pad.ts also assumes padOptions is an object and would already crash on a null padOptions when a pad is opened) but it stops the shim from being the loud thing in the stack trace if someone hits it. Co-Authored-By: Claude Opus 4.7 (1M context) --- src/node/utils/Settings.ts | 22 +++++++++------ .../backend/specs/padOptionsLegacyDefaults.ts | 28 +++++++++++++++++-- 2 files changed, 39 insertions(+), 11 deletions(-) diff --git a/src/node/utils/Settings.ts b/src/node/utils/Settings.ts index 1baedda4081..54840f03a7a 100644 --- a/src/node/utils/Settings.ts +++ b/src/node/utils/Settings.ts @@ -1094,14 +1094,20 @@ export const reloadSettings = () => { // applying it, which then propagates as the user's name and color and // triggers `malformed color: false` on the server (#7686). Normalize // legacy booleans to null at the boundary so downstream code sees the - // expected sentinel. - for (const key of ['userName', 'userColor'] as const) { - if ((settings.padOptions as any)[key] === false) { - logger.warn( - `padOptions.${key}=false is a legacy default (pre-2021) and is ` + - `now treated as null. Update settings.json to use null instead ` + - `to silence this warning.`); - (settings.padOptions as any)[key] = null; + // expected sentinel. Guard against a malformed padOptions (null, array, + // primitive) — storeSettings() will overwrite it raw if settings.json + // declares it as anything other than a plain object. + if (settings.padOptions != null + && typeof settings.padOptions === 'object' + && !Array.isArray(settings.padOptions)) { + for (const key of ['userName', 'userColor'] as const) { + if ((settings.padOptions as any)[key] === false) { + logger.warn( + `padOptions.${key}=false is a legacy default (pre-2021) and is ` + + `now treated as null. Update settings.json to use null instead ` + + `to silence this warning.`); + (settings.padOptions as any)[key] = null; + } } } diff --git a/src/tests/backend/specs/padOptionsLegacyDefaults.ts b/src/tests/backend/specs/padOptionsLegacyDefaults.ts index caba9528514..73d0a08d588 100644 --- a/src/tests/backend/specs/padOptionsLegacyDefaults.ts +++ b/src/tests/backend/specs/padOptionsLegacyDefaults.ts @@ -7,9 +7,11 @@ describe(__filename, function () { // assert the mapping without rebooting the whole server in this spec. // Keep this in lockstep with the production block — if you change the // shim there, change it here too. - const applyShim = (padOptions: Record) => { - for (const key of ['userName', 'userColor']) { - if (padOptions[key] === false) padOptions[key] = null; + const applyShim = (padOptions: any) => { + if (padOptions != null && typeof padOptions === 'object' && !Array.isArray(padOptions)) { + for (const key of ['userName', 'userColor']) { + if (padOptions[key] === false) padOptions[key] = null; + } } return padOptions; }; @@ -72,5 +74,25 @@ describe(__filename, function () { assert.strictEqual(out.userName, 'false'); assert.strictEqual(out.userColor, 'false'); }); + + it('skips the shim if padOptions is null', function () { + // storeSettings() overwrites settings.padOptions raw if settings.json + // declares it as a non-object — the shim must not throw on that. + assert.doesNotThrow(() => applyShim(null)); + assert.strictEqual(applyShim(null), null); + }); + + it('skips the shim if padOptions is a primitive', function () { + assert.doesNotThrow(() => applyShim(false)); + assert.doesNotThrow(() => applyShim('not an object')); + assert.doesNotThrow(() => applyShim(42)); + }); + + it('skips the shim if padOptions is an array', function () { + const arr: any = [false, false]; + assert.doesNotThrow(() => applyShim(arr)); + // Arrays pass through untouched — index 0/1 (numeric) are not coerced. + assert.deepEqual(applyShim(arr), [false, false]); + }); }); });