Merge branch Develop into thumbnails

.github/ISSUE_TEMPLATE/bug_report.md

@@ -31,7 +31,7 @@ If applicable, add screenshots to help explain your problem.
  - OS: [e.g. Windows 10/Raspberry Pi OS]
  - Python version: [e.g. python2.7]
  - Calibre-Web version: [e.g. 0.6.8 or 087c4c59 (git rev-parse --short HEAD)]:
- - Docker container: [None/Technosoft2000/LinuxServer]:
+ - Docker container: [None/LinuxServer]:
  - Special Hardware: [e.g. Rasperry Pi Zero]
  - Browser: [e.g. Chrome 83.0.4103.97, Safari 13.3.7, Firefox 68.0.1 ESR]
 

README.md

@@ -19,7 +19,7 @@ Calibre-Web is a web app providing a clean interface for browsing, reading and d
 - full graphical setup
 - User management with fine-grained per-user permissions
 - Admin interface
-- User Interface in brazilian, czech, dutch, english, finnish, french, german, greek, hungarian, italian, japanese, khmer, polish, russian, simplified chinese, spanish, swedish, turkish, ukrainian
+- User Interface in brazilian, czech, dutch, english, finnish, french, german, greek, hungarian, italian, japanese, khmer, korean, polish, russian, simplified and traditional chinese, spanish, swedish, turkish, ukrainian
 - OPDS feed for eBook reader apps 
 - Filter and search by titles, authors, tags, series and language
 - Create a custom book collection (shelves)
@@ -37,28 +37,31 @@ Calibre-Web is a web app providing a clean interface for browsing, reading and d
 - "Magic Link" login to make it easy to log on eReaders
 - Login via LDAP, google/github oauth and via proxy authentication
 
-## Quick start
+## Installation
 
-#### Install via pip
+#### Installation via pip (recommended)
 1. Install calibre web via pip with the command `pip install calibreweb` (Depending on your OS and or distro the command could also be `pip3`). 
 2. Optional features can also be installed via pip, please refer to [this page](https://github.com/janeczku/calibre-web/wiki/Dependencies-in-Calibre-Web-Linux-Windows) for details 
 3. Calibre-Web can be started afterwards by typing `cps` or `python3 -m cps` 
 
 #### Manual installation
 1. Install dependencies by running `pip3 install --target vendor -r requirements.txt` (python3.x). Alternativly set up a python virtual environment.
 2. Execute the command: `python3 cps.py` (or `nohup python3 cps.py` - recommended if you want to exit the terminal window)
-
+
+Issues with Ubuntu:
+Please note that running the above install command can fail on some versions of Ubuntu, saying `"can't combine user with prefix"`. This is a [known bug](https://github.com/pypa/pip/issues/3826) and can be remedied by using the command `pip install --system --target vendor -r requirements.txt` instead.
+
+## Quick start
+
 Point your browser to `http://localhost:8083` or `http://localhost:8083/opds` for the OPDS catalog
 Set `Location of Calibre database` to the path of the folder where your Calibre library (metadata.db) lives, push "submit" button\
 Optionally a Google Drive can be used to host the calibre library [-> Using Google Drive integration](https://github.com/janeczku/calibre-web/wiki/Configuration#using-google-drive-integration)
 Go to Login page
 
-**Default admin login:**\
+#### Default admin login:
 *Username:* admin\
 *Password:* admin123
 
-**Issues with Ubuntu:**
-Please note that running the above install command can fail on some versions of Ubuntu, saying `"can't combine user with prefix"`. This is a [known bug](https://github.com/pypa/pip/issues/3826) and can be remedied by using the command `pip install --system --target vendor -r requirements.txt` instead.
 
 ## Requirements
 
@@ -72,14 +75,7 @@ Optionally, to enable on-the-fly conversion from one ebook format to another whe
 
 ## Docker Images
 
-Pre-built Docker images are available in these Docker Hub repositories:
-
-#### **Technosoft2000 - x64**
-+ Docker Hub - [https://hub.docker.com/r/technosoft2000/calibre-web](https://hub.docker.com/r/technosoft2000/calibre-web)
-+ Github - [https://github.com/Technosoft2000/docker-calibre-web](https://github.com/Technosoft2000/docker-calibre-web) 
-
-    Includes the Calibre `ebook-convert` binary.
-    + The "path to convertertool" should be set to `/opt/calibre/ebook-convert`
+A pre-built Docker image is available in these Docker Hub repository (maintained by the LinuxServer team):
 
 #### **LinuxServer - x64, armhf, aarch64**
 + Docker Hub - [https://hub.docker.com/r/linuxserver/calibre-web](https://hub.docker.com/r/linuxserver/calibre-web)

SECURITY.md

@@ -3,3 +3,37 @@
 ## Reporting a Vulnerability
 
 Please report security issues to ozzie.fernandez.isaacs@googlemail.com
+
+## Supported Versions
+
+To receive fixes for security vulnerabilities it is required to always upgrade to the latest version of Calibre-Web. See https://github.com/janeczku/calibre-web/releases/latest for the latest release.
+
+## History
+
+| Fixed in      | Description                                                                                                        |CVE number |
+|---------------|--------------------------------------------------------------------------------------------------------------------|---------|
+| 3rd July 2018 | Guest access acts as a backdoor                                                                                    ||
+| V 0.6.7       | Hardcoded secret key for sessions                                                                                  |CVE-2020-12627 |
+| V 0.6.13      | Calibre-Web Metadata cross site scripting                                                                          |CVE-2021-25964|
+| V 0.6.13      | Name of Shelves are only visible to users who can access the corresponding shelf Thanks to @ibarrionuevo           ||
+| V 0.6.13      | JavaScript could get executed in the description field. Thanks to @ranjit-git  and Hagai Wechsler (WhiteSource)    ||
+| V 0.6.13      | JavaScript could get executed in a custom column of type "comment" field                                           ||
+| V 0.6.13      | JavaScript could get executed after converting a book to another format with a title containing javascript code    ||
+| V 0.6.13      | JavaScript could get executed after converting a book to another format with a username containing javascript code ||
+| V 0.6.13      | JavaScript could get executed in the description series, categories or publishers title                            ||
+| V 0.6.13      | JavaScript could get executed  in the shelf title                                                                  ||
+| V 0.6.13      | Login with the old session cookie after logout. Thanks to @ibarrionuevo                                            ||
+| V 0.6.14      | CSRF was possible. Thanks to @mik317 and Hagai Wechsler (WhiteSource)                                              |CVE-2021-25965|
+| V 0.6.14      | Migrated some routes to POST-requests (CSRF protection). Thanks to @scara31                                        ||
+| V 0.6.15      | Fix for "javascript:" script links in identifier. Thanks to @scara31                                               ||
+| V 0.6.15      | Cross-Site Scripting vulnerability on uploaded cover file names. Thanks to @ibarrionuevo                           ||
+| V 0.6.15      | Creating public shelfs is now denied if user is missing the edit public shelf right. Thanks to @ibarrionuevo       ||
+| V 0.6.15      | Changed error message in case of trying to delete a shelf unauthorized. Thanks to @ibarrionuevo                    ||
+| V 0.6.16      | JavaScript could get executed on authors page. Thanks to @alicaz                                                   ||
+| V 0.6.16      | Localhost can no longer be used to upload covers. Thanks to @scara31                                               ||
+| V 0.6.16      | Another case where public shelfs could be created without permission is prevented. Thanks to @ibarrionuevo         ||
+
+
+## Staement regarding Log4j (CVE-2021-44228 and related)
+
+Calibre-web is not affected by bugs related to Log4j. Calibre-Web is a python program, therefore not using Java, and not using the Java logging feature log4j. 

cps.py

@@ -16,19 +16,19 @@
 #
 #  You should have received a copy of the GNU General Public License
 #  along with this program. If not, see <http://www.gnu.org/licenses/>.
+try:
+    from gevent import monkey
+    monkey.patch_all()
+except ImportError:
+    pass
 
-from __future__ import absolute_import, division, print_function, unicode_literals
 import sys
 import os
 
 
 # Insert local directories into path
-if sys.version_info < (3, 0):
-    sys.path.append(os.path.dirname(os.path.abspath(__file__.decode('utf-8'))))
-    sys.path.append(os.path.join(os.path.dirname(os.path.abspath(__file__.decode('utf-8'))), 'vendor'))
-else:
-    sys.path.append(os.path.dirname(os.path.abspath(__file__)))
-    sys.path.append(os.path.join(os.path.dirname(os.path.abspath(__file__)), 'vendor'))
+sys.path.append(os.path.dirname(os.path.abspath(__file__)))
+sys.path.append(os.path.join(os.path.dirname(os.path.abspath(__file__)), 'vendor'))
 
 
 from cps import create_app
@@ -50,7 +50,7 @@
     from cps.kobo import kobo, get_kobo_activated
     from cps.kobo_auth import kobo_auth
     kobo_available = get_kobo_activated()
-except ImportError:
+except (ImportError, AttributeError):   # Catch also error for not installed flask-WTF (missing csrf decorator)
     kobo_available = False
 
 try:

cps/MyLoginManager.py

@@ -0,0 +1,34 @@
+# -*- coding: utf-8 -*-
+
+#  This file is part of the Calibre-Web (https://github.com/janeczku/calibre-web)
+#    Copyright (C) 2018-2019 OzzieIsaacs, cervinko, jkrehm, bodybybuddha, ok11,
+#                            andy29485, idalin, Kyosfonica, wuqi, Kennyl, lemmsh,
+#                            falgh1, grunjol, csitko, ytils, xybydy, trasba, vrabe,
+#                            ruben-herold, marblepebble, JackED42, SiphonSquirrel,
+#                            apetresc, nanu-c, mutschler, GammaC0de, vuolter
+#
+#  This program is free software: you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation, either version 3 of the License, or
+#  (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+
+from flask_login import LoginManager
+from flask import session
+
+
+class MyLoginManager(LoginManager):
+    def _session_protection_failed(self):
+        sess = session._get_current_object()
+        ident = self._session_identifier_generator()
+        if(sess and not (len(sess) == 1 and sess.get('csrf_token', None))) and ident != sess.get('_id', None):
+            return super(). _session_protection_failed()
+        return False

cps/__init__.py

@@ -19,8 +19,8 @@
 #
 #  You should have received a copy of the GNU General Public License
 #  along with this program. If not, see <http://www.gnu.org/licenses/>.
+__package__ = "cps"
 
-from __future__ import division, print_function, unicode_literals
 import sys
 import os
 import mimetypes
@@ -29,20 +29,27 @@
 from babel import negotiate_locale
 from babel.core import UnknownLocaleError
 from flask import Flask, request, g
-from flask_login import LoginManager
+from .MyLoginManager import MyLoginManager
 from flask_babel import Babel
 from flask_principal import Principal
 
 from . import config_sql, logger, cache_buster, cli, ub, db
 from .reverseproxy import ReverseProxied
 from .server import WebServer
+from .dep_check import dependency_check
 
 try:
     import lxml
     lxml_present = True
 except ImportError:
     lxml_present = False
 
+try:
+    from flask_wtf.csrf import CSRFProtect
+    wtf_present = True
+except ImportError:
+    wtf_present = False
+
 mimetypes.init()
 mimetypes.add_type('application/xhtml+xml', '.xhtml')
 mimetypes.add_type('application/epub+zip', '.epub')
@@ -61,20 +68,29 @@
 mimetypes.add_type('application/mp4', '.m4b')
 mimetypes.add_type('application/ogg', '.ogg')
 mimetypes.add_type('application/ogg', '.oga')
+mimetypes.add_type('text/css', '.css')
+mimetypes.add_type('text/javascript; charset=UTF-8', '.js')
 
 app = Flask(__name__)
 app.config.update(
     SESSION_COOKIE_HTTPONLY=True,
     SESSION_COOKIE_SAMESITE='Lax',
     REMEMBER_COOKIE_SAMESITE='Lax',  # will be available in flask-login 0.5.1 earliest
+    WTF_CSRF_SSL_STRICT=False
 )
 
 
-lm = LoginManager()
+lm = MyLoginManager()
 lm.login_view = 'web.login'
 lm.anonymous_user = ub.Anonymous
 lm.session_protection = 'strong'
 
+if wtf_present:
+    csrf = CSRFProtect()
+    csrf.init_app(app)
+else:
+    csrf = None
+
 ub.init_db(cli.settingspath)
 # pylint: disable=no-member
 config = config_sql.load_configuration(ub.session)
@@ -86,6 +102,7 @@
 
 log = logger.create()
 
+
 from . import services
 
 db.CalibreDB.update_config(config)
@@ -100,17 +117,24 @@ def create_app():
             '*** Python2 is EOL since end of 2019, this version of Calibre-Web is no longer supporting Python2, please update your installation to Python3 ***')
         print(
             '*** Python2 is EOL since end of 2019, this version of Calibre-Web is no longer supporting Python2, please update your installation to Python3 ***')
+        web_server.stop(True)
         sys.exit(5)
     if not lxml_present:
         log.info('*** "lxml" is needed for calibre-web to run. Please install it using pip: "pip install lxml" ***')
         print('*** "lxml" is needed for calibre-web to run. Please install it using pip: "pip install lxml" ***')
+        web_server.stop(True)
         sys.exit(6)
+    if not wtf_present:
+        log.info('*** "flask-WTF" is needed for calibre-web to run. Please install it using pip: "pip install flask-WTF" ***')
+        print('*** "flask-WTF" is needed for calibre-web to run. Please install it using pip: "pip install flask-WTF" ***')
+        web_server.stop(True)
+        sys.exit(7)
+    for res in dependency_check() + dependency_check(True):
+        log.info('*** "{}" version does not fit the requirements. Should: {}, Found: {}, please consider installing required version ***'
+            .format(res['name'],
+                 res['target'],
+                 res['found']))
     app.wsgi_app = ReverseProxied(app.wsgi_app)
-    # For python2 convert path to unicode
-    if sys.version_info < (3, 0):
-        app.static_folder = app.static_folder.decode('utf-8')
-        app.root_path = app.root_path.decode('utf-8')
-        app.instance_path = app.instance_path.decode('utf-8')
 
     if os.environ.get('FLASK_DEBUG'):
         cache_buster.init_cache_busting(app)