From c1f026b22f3f6155e048ec4f0c3631abe6e904fd Mon Sep 17 00:00:00 2001 From: yu-i-i Date: Thu, 13 Nov 2025 18:09:56 +0100 Subject: [PATCH] Release v5.5.6-ext-v3.2 --- Extended-CE:-Environment-Variables.md | 7 +++++ Extended-CE:-From-External-URL.md | 43 +++++++++++++++++++++++++++ Extended-CE:-Installation.md | 9 +++--- Extended-CE:-Useful-Links.md | 7 +++++ Home.md | 7 +++++ _Sidebar.md | 18 ++++++----- 6 files changed, 79 insertions(+), 12 deletions(-) create mode 100644 Extended-CE:-Environment-Variables.md create mode 100644 Extended-CE:-Useful-Links.md diff --git a/Extended-CE:-Environment-Variables.md b/Extended-CE:-Environment-Variables.md new file mode 100644 index 0000000..5707613 --- /dev/null +++ b/Extended-CE:-Environment-Variables.md @@ -0,0 +1,7 @@ +## Environment Variables + +In addition to the [environment variables used in upstream Overleaf Server CE](https://docs.overleaf.com/on-premises/configuration/overleaf-toolkit/environment-variables), +the following variables has been added in Extended CE: + +- `MAX_UPLOAD_SIZE` + * Specifies the maximum size of an uploaded project or file, in MB. The default value is 50 MB. diff --git a/Extended-CE:-From-External-URL.md b/Extended-CE:-From-External-URL.md index c756813..20e341c 100644 --- a/Extended-CE:-From-External-URL.md +++ b/Extended-CE:-From-External-URL.md @@ -7,3 +7,46 @@ ENABLED_LINKED_FILE_TYPES=project_file,project_output_file,url ``` This will extend both the *Add Files* menu and the *Insert Figure* dropdown in the toolbar: the *Add Files* menu allows you to add a file to your project using its URL, while the *Insert Figure* dropdown lets you insert an image into your document directly from its URL. + +### Security Note + +When users add a link to an external file in their projects, the file is fetched on behalf of the server where Overleaf is installed. + +If the Overleaf server is hosted inside a private network that also contains internal HTTP servers (intended only for internal use), +a user with access to Overleaf could potentially access data from these internal services. + +To prevent this, links to external files must not point to servers whose IP addresses belong to any of the restricted network ranges. These are: + +- `127.0.0.0/8` (loopback) +- `169.254.0.0/16` (link-local) +- `10.0.0.0/8` (private network) +- `172.16.0.0/12` (private network) +- `192.168.0.0/16` (private network) + +In addition, the following environment variable is introduced: + +- `OVERLEAF_LINKED_URL_BLOCKED_NETWORKS` + * A whitespace-separated list of networks in CIDR notation from which external resources are prohibited from being fetched. + Typically, this should include the organization's internal network. + + - Example: + `OVERLEAF_LINKED_URL_BLOCKED_NETWORKS=123.123.0.0/16 124.124.124.0/24` + +However, in many organizations, servers within the internal network may also host data that should be publicly accessible. +To allow access to specific resources even if the entire network is blocked, the following environment variable is provided: + +- `OVERLEAF_LINKED_URL_ALLOWED_RESOURCES` + * A regular expression defining allowed web resources from which external files may be fetched. + If a URL matches this regular expression, access to it is granted even if its network is otherwise blocked. + + - Example: To allow URLs like + `https://www.example.com/~john/pictures/frog.jpg` and + `http://www.example.com/public/whatever/lit.bib`: + + `OVERLEAF_LINKED_URL_ALLOWED_RESOURCES=^https?://www\.example\.com/(?:~[^/]+|public)(?:/.*)?` + + - Example: To deny URLs like + `http://www.example.com/private/whatever/file`, + while allowing all other resources not in the `private` subtree: + + `OVERLEAF_LINKED_URL_ALLOWED_RESOURCES=^https?://www\.example\.com/(?!private)(?:.*)` diff --git a/Extended-CE:-Installation.md b/Extended-CE:-Installation.md index 8c4dd9e..3d2207c 100644 --- a/Extended-CE:-Installation.md +++ b/Extended-CE:-Installation.md @@ -10,13 +10,14 @@ services: image: sharelatex/sharelatex:ext-ce ``` -If you want to build a Docker image of the extended CE based on the upstream v5.5.0 codebase, you can check out the corresponding tag by running: +If you want to build a Docker image of the extended CE based on the upstream v5.5.n version, check out the tag, corresponding to version v5.5.0-ext-v3.2 by running: ``` -git checkout v5.5.0-ext-v3.1 +git checkout v5.5.0-ext-v3.2 ``` -After building the image, switch to the latest state of the repository and check the `server-ce/hotfix` directory. If a subdirectory matching your version (e.g., `5.5.2`) exists, build a patched image. +After building the image, switch to the latest state of the repository, rewiev the `server-ce/hotfix` directory, and build the patched images sequentially: v5.5.1-ext-v3.2,i ..., v5.5.n-ext-v3.2. + Alternatively, you can download a prebuilt image from Docker Hub: ``` -docker pull overleafcep/sharelatex:5.5.2-ext-v3.1 +docker pull overleafcep/sharelatex:5.5.6-ext-v3.2 ``` Make sure to update the image name in `overleaf-toolkit/config/docker-compose.override.yml` accordingly. diff --git a/Extended-CE:-Useful-Links.md b/Extended-CE:-Useful-Links.md new file mode 100644 index 0000000..43cadbd --- /dev/null +++ b/Extended-CE:-Useful-Links.md @@ -0,0 +1,7 @@ +## Useful Links + +- [How to increase the maximum compilation time beyond 600 seconds](https://github.com/yu-i-i/overleaf-cep/discussions/37) + +- [How to enable the 'Restore project to this version' feature](https://github.com/yu-i-i/overleaf-cep/discussions/76) + +- [Example of Authentik Identity Provider configuration for OIDC](https://github.com/yu-i-i/overleaf-cep/discussions/68) diff --git a/Home.md b/Home.md index d371123..4b734fe 100644 --- a/Home.md +++ b/Home.md @@ -12,6 +12,13 @@ the [Overleaf Wiki Page](https://github.com/overleaf/overleaf/wiki). ## Extended CE Release Notes +### `v5.5.6-ext-v3.2` + +- Based on upstream release v5.5.6 +- Fixed an issue where Sandboxed Compiles stopped working due to excessively strict seccomp restrictions +- Introduced the `MAX_UPLOAD_SIZE` variable to control the maximum allowed size for uploaded projects and files +- **Security fix**: Files attached from an external URL are now fetched through a proxy. For details, see [Security Note](https://github.com/yu-i-i/overleaf-cep/wiki/Extended-CE:-From-External-URL#security-note) + ### `v5.5.4-ext-v3.1` - Based on upstream release v5.5.4 diff --git a/_Sidebar.md b/_Sidebar.md index d76170e..8e557d3 100644 --- a/_Sidebar.md +++ b/_Sidebar.md @@ -1,8 +1,10 @@ -## Extended CE -- [Installation](https://github.com/yu-i-i/overleaf-cep/wiki/Extended-CE:-Installation) -- [Sandboxed Compiles](https://github.com/yu-i-i/overleaf-cep/wiki/Extended-CE:-Sandboxed-Compiles) -- [LDAP Authentication](https://github.com/yu-i-i/overleaf-cep/wiki/Extended-CE:-LDAP-Authentication) -- [SAML Authentication](https://github.com/yu-i-i/overleaf-cep/wiki/Extended-CE:-SAML-Authentication) -- [OIDC Authentication](https://github.com/yu-i-i/overleaf-cep/wiki/Extended-CE:-OIDC-Authentication) -- [Template Gallery](https://github.com/yu-i-i/overleaf-cep/wiki/Extended-CE:-Template-Gallery) -- [From External URL Feature](https://github.com/yu-i-i/overleaf-cep/wiki/Extended-CE:-From-External-URL) +## Extended CE +- [Installation](https://github.com/yu-i-i/overleaf-cep/wiki/Extended-CE:-Installation) +- [Sandboxed Compiles](https://github.com/yu-i-i/overleaf-cep/wiki/Extended-CE:-Sandboxed-Compiles) +- [LDAP Authentication](https://github.com/yu-i-i/overleaf-cep/wiki/Extended-CE:-LDAP-Authentication) +- [SAML Authentication](https://github.com/yu-i-i/overleaf-cep/wiki/Extended-CE:-SAML-Authentication) +- [OIDC Authentication](https://github.com/yu-i-i/overleaf-cep/wiki/Extended-CE:-OIDC-Authentication) +- [Template Gallery](https://github.com/yu-i-i/overleaf-cep/wiki/Extended-CE:-Template-Gallery) +- [From External URL Feature](https://github.com/yu-i-i/overleaf-cep/wiki/Extended-CE:-From-External-URL) +- [Environment Variables](https://github.com/yu-i-i/overleaf-cep/wiki/Extended-CE:-Environment-Variables) +- [Useful Links](https://github.com/yu-i-i/overleaf-cep/wiki/Extended-CE:-Useful-Links)