Copilot
3980b9e580
* Fix IDOR in exports by adding token verification Implement jdleesmiller's suggested fix for Issue #31637: - V1: Return export token in create response - V1: Verify token in get_export using secure_compare - Web: Pass token through fetchExport and fetchDownload - Web: Return token from exportProject to frontend - Frontend: Pass token as query param on status/download requests - Add tests for both services Agent-Logs-Url: https://github.com/overleaf/internal/sessions/7ba5f535-fba2-49a8-91d4-c87bd332d3a0 Co-authored-by: briangough <7457354+briangough@users.noreply.github.com> Fix window.location.pathname to .href to preserve query params Code review correctly identified that window.location.pathname strips query parameters. Switch to window.location.href so the token query parameter is preserved in download URLs. Agent-Logs-Url: https://github.com/overleaf/internal/sessions/7ba5f535-fba2-49a8-91d4-c87bd332d3a0 Co-authored-by: briangough <7457354+briangough@users.noreply.github.com> Fix test mocks to include token in POST responses Agent-Logs-Url: https://github.com/overleaf/internal/sessions/0350c6ef-0fff-4e98-8464-812cd92c523f Co-authored-by: briangough <7457354+briangough@users.noreply.github.com> fix formatting Fix token assignment in initiateExport to use pollResponse token if available Add requireExportToken config setting and tests for invalid/missing token cases Agent-Logs-Url: https://github.com/overleaf/internal/sessions/059bdba2-4f7a-4407-a5a5-cfcffd888739 Co-authored-by: briangough <7457354+briangough@users.noreply.github.com> fix formatting Add tests for export status and token validation in ExportsController and MockV1Api Co-authored-by: Copilot <copilot@github.com> * Update services/v1/main/app/controllers/api/v1/overleaf/exports_controller.rb Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * fix linting * fix fetchString response handling in ExportsHandler tests --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot <copilot@github.com> Co-authored-by: Brian Gough <briangough@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Brian Gough <brian.gough@overleaf.com> GitOrigin-RevId: 399aef8eaa15ab3655f0905482f3a31fe94e2251
An open-source online real-time collaborative LaTeX editor.
Wiki • Server Pro • Contributing • Mailing List • Authors • License
Figure 1: A screenshot of a project being edited in Overleaf Community Edition.
Community Edition
Overleaf is an open-source online real-time collaborative LaTeX editor. We run a hosted version at www.overleaf.com, but you can also run your own local version, and contribute to the development of Overleaf.
Caution
Overleaf Community Edition is intended for use in environments where all users are trusted. Community Edition is not appropriate for scenarios where isolation of users is required due to Sandbox Compiles not being available. When not using Sandboxed Compiles, users have full read and write access to the
sharelatexcontainer resources (filesystem, network, environment variables) when running LaTeX compiles.
For more information on Sandbox Compiles check out our documentation.
Enterprise
If you want help installing and maintaining Overleaf in your lab or workplace, we offer an officially supported version called Overleaf Server Pro. It also includes more features for security (SSO with LDAP or SAML), administration and collaboration (e.g. tracked changes). Find out more!
Keeping up to date
Sign up to the mailing list to get updates on Overleaf releases and development.
Installation
We have detailed installation instructions in the Overleaf Toolkit.
Upgrading
If you are upgrading from a previous version of Overleaf, please see the Release Notes section on the Wiki for all of the versions between your current version and the version you are upgrading to.
Overleaf Docker Image
This repo contains two dockerfiles, Dockerfile-base, which builds the
sharelatex/sharelatex-base image, and Dockerfile which builds the
sharelatex/sharelatex (or "community") image.
The Base image generally contains the basic dependencies like wget, plus texlive.
We split this out because it's a pretty heavy set of
dependencies, and it's nice to not have to rebuild all of that every time.
The sharelatex/sharelatex image extends the base image and adds the actual Overleaf code
and services.
Use make build-base and make build-community from server-ce/ to build these images.
We use the Phusion base-image
(which is extended by our base image) to provide us with a VM-like container
in which to run the Overleaf services. Baseimage uses the runit service
manager to manage services, and we add our init-scripts from the server-ce/runit
folder.
Contributing
Please see the CONTRIBUTING file for information on contributing to the development of Overleaf.
Authors
License
The code in this repository is released under the GNU AFFERO GENERAL PUBLIC LICENSE, version 3. A copy can be found in the LICENSE file.
Copyright (c) Overleaf, 2014-2025.