Commit Graph

25378 Commits

Author SHA1 Message Date
Tim Abbott f4aea3ec22 invite: Clarify variable names for rendered_email_msg. 2018-04-12 09:48:02 -07:00
Tim Abbott 0db715d222 search_suggestion: Add escaping for email addresses.
This is probably unnecessary, but makes me feel better about every
code path in this file doing proper escaping to avoid XSS issues.
2018-04-12 09:47:01 -07:00
Tim Abbott 65b9d9e0f3 CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.
Zulip's search typeahead had a security bug, where when autocompleting
a specially crafted stream name, and then hitting space, code within
the stream name would be executed.

Zulip was doing HTML escaping correctly in the main code path using
Filter.describe to describe a narrow, but the escaping function was
not called in a few parallel code paths.  We fix this in a way that
should protect all of these code paths, by making Filter.describe
return properly escaped HTML, rather than depending on its callers to
do so.

Thanks to w2w for reporting this issue.
2018-04-12 09:46:54 -07:00
Rohitt Vashishtha 3bdc8bbaa5 CVE-2018-9986: Fix XSS issues with frontend markdown processor.
This fixes a set of XSS issues with Zulip's frontend markdown
processor, which is used in a limited set of contexts, such as local
echo of messages and the drafts feature.

The implementation of several syntax elements, including the <em>
syntax, user and stream mentions, and some others failed to properly
escape the content inside the syntax.

Fix this, and add tests for each corrected code path.

Thanks to w2w for reporting this issue.
2018-04-12 09:46:37 -07:00
Tim Abbott 1207a08b36 CVE-2018-9987: Fix XSS issue with muting notifications.
This fixes an XSS issue with Zulip's muting UI, where if a stream or
topic name contained malicious HTML containing JavaScript, and the
user did a muting interaction, the malicious JavaScript could run when
rendering the "you just muted a topic" notification.

We did an audit for similarly problematic use of `.html`, and found
none; for the next release we'll be merging a series of changes to our
linter to prevent future instances of this being added.

Thanks to Suhas Sunil Gaikwad for reporting this issue.
2018-04-12 09:46:03 -07:00
YJDave 92a04b31a0 custom fields: Clean custom fields to use existing defined function. 2018-04-12 09:40:09 -07:00
guaca a19daf0ab2 Settings: Fix vertical spacing.
Removed the top margin of input-group css
 to prevent the double margins. Also fixed the
 default-language positioning, and maintained
margin consistency in organization settings.

Fixes #8890.
2018-04-12 09:38:24 -07:00
Axel Tietje 8f984be457 docs: Fix typo in production docs. 2018-04-12 09:19:26 -07:00
Lyla Fischer d291def7a1 user-docs subsystem: Fix broken markdown. 2018-04-12 09:09:56 -07:00
Lyla Fischer 390eeaab5b help: Remove follow-steps doc macro. 2018-04-11 16:44:08 -07:00
Lyla Fischer 00255ad7c0 help: Remove the go-to-the macro. 2018-04-11 16:44:08 -07:00
Shubham Padia 55619cbe70 browser-support: Add string.prototype.endswith polyfill.
String.prototype.endsWith is not supported in ie11.
Adds string.prototype.endswith package to dependencies and places
it at `common` entry point in webpack.assets.json.
2018-04-11 15:40:57 -07:00
Tim Abbott e6833b6427 cleanup: Remove the legacy Dropbox file upload integration.
This has been hard-disabled for years, we have no plans to re-enable
it, and it has some hacky code in it.
2018-04-11 11:39:48 -07:00
Aditya Bansal 6c1a50da76 csp_reports: Add endpoint to handle logging of reports sent by clients. 2018-04-11 23:01:13 +05:30
YJDave 95461761e4 subscription: Show current user on top of subscribers list if present.
Fixes #9027.
2018-04-11 09:54:42 -07:00
YJDave c662867f14 subscription: Add comments for recent changes covering corner cases. 2018-04-11 09:51:52 -07:00
Vishnu Ks 132754f2ef requirements: Downgrade pika to 0.11.0.
Downgrading as issue #8466 is not fixed yet.
2018-04-11 09:31:10 -07:00
Vishwesh Jainkuniya 383c62fb03 dev_login: Identify each user's realm when listing them.
This is a mobile-specific endpoint used for logging into a dev server.
On mobile without this realm_uri it's impossible to send a login request
to the corresponding realm on the dev server and proceed further; we can
only guess, which doesn't work for using multiple realms.

Also rename the endpoint to reflect the additional data.

Testing Plan:
Sent a request to the endpoint, and inspected the result.

[greg: renamed function to match, squashed renames with data change,
 and adjusted commit message.]
2018-04-10 17:03:36 -07:00
Tim Abbott a463743107 puppet: Add Content-Security-Policy for user avatars.
This adds a basic Content-Security-Policy for user-uploaded avatars
served by the LOCAL_UPLOADS backend.

I think this is for now an unnecessary follow-up to
d608a9d315, but is worth doing because
we may later change what can be uploaded in the avatars directory.
2018-04-10 14:43:08 -07:00
Rhea Parekh f7398cbb09 slack import: Implement custom profile fields.
Add custom profile fields in the slack converted
data 'realm' file.
Added tests for the custom profile fields.

Fixes #8928
2018-04-10 13:28:53 -07:00
Rhea Parekh 852e8516b4 slack import: Add custom profile fields.
Build CustomProfileField and CustomProfileFieldValue
for every user and process the field type after getting an
entire list of the custom fields.
2018-04-10 13:28:53 -07:00
Rhea Parekh ccefaf7b26 scripts: Remove the depreciated script 'postgres-reset-sequences'. 2018-04-10 13:07:14 -07:00
Marco Burstein c36a658fee uploads: Fix the upload progress bar.
There was already a progress bar set up, but it became non-functional
after refactoring.  This fixes it.

The default animation was getting cut off when `uploadFinished` is
called, so we add a delay before removing the upload bar to make it
get to the end.

Tweaked by tabbott to have a more natural feeling animation setup
(where we don't animate the width adjustments; just the disappearance
of the bar).

Fixes #8863.
2018-04-09 22:53:06 -07:00
Tim Abbott a4def8d409 copy_and_paste: Re-disable copy-paste handler in production.
This reverts commit 6e048c5d3f.

See #8963 for the main issue we need to fix before re-enabling this;
basically, some combination of toMarkdown and the way text/html gets
written was introducing a lot of bonus/bogus whitespace, both in the
form of newlines and spaces converted to `&nbsp;`.
2018-04-09 22:10:28 -07:00
rht a183186672 slack importer: User session.get to recycle previous connections. 2018-04-09 22:02:01 -07:00
Shubham Dhama b650b6b38c markdown: Add @stream as an alias for @all.
Fixes: #8930.
2018-04-09 16:35:14 -07:00
Shubham Dhama 771db7fb90 compose typeahead: Refactor repeating code for all and everyone mentions.
This is minor refactor with which we can simply add other aliases for
"all" and "everyone" mentions.
2018-04-09 16:35:14 -07:00
Marco Burstein 7c66d11781 compose: Show avatars for people in typeahead autocompletes.
`@everone` and `@all` will have a megaphone icon from FontAwesome in
place of the avatar.

Also, fix the `composebox_typeahead` tests to account for the images.

Fix #6635.
2018-04-09 15:47:11 -07:00
Tim Abbott 9b8dd4f125 install-yarn: Fix buggy status check for the signature.
Apparently, they added a new signing key instance, and so checking
whether the old key exists doesn't work anymore.
2018-04-09 15:09:37 -07:00
Aditya Bansal d608a9d315 uploads: Add Content-Security-Policy for user uploads.
This adds a basic Content-Security-Policy for user-uploaded files with local uploads.

While over time, we plan to add CSP for the main site as well, this CSP is particularly
important for the local-uploads backend, which often shares a domain with the main site.
2018-04-09 14:43:02 -07:00
Priyank ee078c372f install-node: Upgrade node, yarn, and nvm.
node -> v8.9.4
yarn -> 1.5.1
nvm -> 0.33.8

Also updates a test in timerender.js which depends on time
provided by node which is now changed in newer release.

Some changes have been made in circeci script, we just create ~/.config
directory and chown it to circleci user so installing new version of yarn
does not cause any ci failure on circleci during provision.
2018-04-09 13:56:48 -07:00
Shubham Padia 57a494f94d browser-support: Add codepointat polyfill to `common` entry point.
Adds string.prototype.codepointat which was added as a polyfill
earlier to the project but was not added to `common` entry point.
2018-04-09 12:16:19 -07:00
Shubham Padia b906562f22 browser-support: Add string.prototype.startsWith polyfill.
Fixes #8944.
Adds string.prototype.startswith package to dependencies and places
it at `common` entry point in webpack.assets.json. As common.js is
loaded on all code paths first, there is no need to place this package
into other entry points.
2018-04-09 12:16:19 -07:00
Tim Abbott 37a83285c4 people: Clean up now-unnecessary url variable. 2018-04-09 12:12:44 -07:00
Tim Abbott 40421c5000 people: Refactor small_avatar_url logic for emails. 2018-04-09 12:12:44 -07:00
Tim Abbott dfac0302fc people: Extract small_avatar_url_for_person.
This is intended to be used in places like compose typeahead to
display users' avatars.
2018-04-09 12:12:44 -07:00
Tim Abbott 3bfd96d8ed people: Use a return for message.avatar_url code path.
This helps clean up this code path a bit.
2018-04-09 12:07:41 -07:00
Tim Abbott 5bcfecd0dc people: Extract gravatar_url_for_email. 2018-04-09 12:07:41 -07:00
rht 7a8655cc50 Slack importer: Add test for Slack channel mention to Zulip stream mention. 2018-04-09 10:47:39 -07:00
rht 630adb406b Slack importer: Map Slack channel mentions to Zulip stream mentions. 2018-04-09 10:47:39 -07:00
Rhea Parekh 035c440ff3 import script: Support import custom profile fields.
Import of Custom profile fields is only supported for slack
import script for now.
2018-04-09 10:45:35 -07:00
Tim Abbott c41d7ee300 slack import: Write reasonable multi-line JSON.
This is a lot better for debugging.
2018-04-09 10:45:35 -07:00
YJDave 025956482a subscription: Fix error in appending current user on top of subscriber list. 2018-04-08 16:54:12 -07:00
YJDave f5a7d125c9 subscription: Clean functions `peer_subscribe` and `peer_unsubscribe`. 2018-04-08 16:54:12 -07:00
YJDave dcf9355502 subs.js: Rename function to `check_button_for_sub` to be more specific. 2018-04-08 16:54:12 -07:00
YJDave ed70a92ed3 subscription: Fix error in being re-subscribed to private stream.
Fixes #9023
2018-04-08 16:54:12 -07:00
YJDave 24f51739eb subscription: Add real time sync for user-just-deactivated case.
Currently, stream subscriptions aren't getting updated without
hard reload when user is deactivated in realm.

Fix this issue by updating stream subscription widgets on user
deactivation event.

Fixes #5623
2018-04-08 16:54:12 -07:00
YJDave cf40536ed2 stream_edit.js: Add helper func to rerender all subscriptions settings.
This add the function to rerender subscriptions settings which includes
subscriber count and subscriber list only if subscriptions tab is active.
2018-04-08 16:54:12 -07:00
YJDave 211eba2c56 stream_edit.js: Add helper func to check if sub settings tab is active.
This commit adds a new helper func to check if sub settings tab
is active or not and remove function `add_me_to_member_list`
function from `static/js/stream_edit.js`, cause we don't need to
render subscribers for particular case, as we are already doing that.
2018-04-08 16:54:12 -07:00
YJDave 386c56b466 stream_data.js: Replace user_email with user_id in func is_user_subscribed. 2018-04-08 16:54:12 -07:00