zulip/zerver/views
Anders Kaseorg 780ecb672b CVE-2019-16216: Fix MIME type validation.
* Whitelist a small number of image/ types to be served as
  non-attachments.
* Serve the file using the type that we validated rather than relying
  on an independent guess to match.

This issue can lead to a stored XSS security vulnerability for older
browsers that don't support Content-Security-Policy.

It primarily affects servers using Zulip's local file uploads backend
for servers running Ubuntu 16.04 Xenial or newer; the legacy local
file upload backend for (now EOL) Ubuntu 14.04 Trusty was not affected
and it has limited impact for the S3 upload backend (which uses an
unprivileged S3 bucket domain to serve files).

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-09-11 15:46:36 -07:00
..
development development: Accept ToS for create user buttons. 2019-08-26 13:55:55 -07:00
__init__.py
alert_words.py cleanup: Delete leading newlines. 2019-08-06 23:29:11 -07:00
archive.py archive: Fix typing for prev_sender variable. 2019-07-29 15:23:10 -07:00
attachments.py uploads: Show used upload space in attachments UI. 2019-03-07 20:18:00 -08:00
auth.py zerver: Accept HEAD requests wherever GET requests are accepted. 2019-08-12 16:47:41 -07:00
camo.py camo: Clean up type ignores. 2019-08-09 16:39:16 -07:00
compatibility.py cleanup: Delete leading newlines. 2019-08-06 23:29:11 -07:00
custom_profile_fields.py custom fields: Add default external account custom fields. 2019-08-28 15:35:53 -07:00
digest.py digest: Fix the styling of /digest page. 2019-01-07 13:09:29 -08:00
documentation.py email: Remove special integration doc behavior when gateway not set. 2019-08-05 17:33:05 -07:00
email_mirror.py cleanup: Delete leading newlines. 2019-08-06 23:29:11 -07:00
events_register.py cleanup: Delete leading newlines. 2019-08-06 23:29:11 -07:00
home.py storage: Stop using django-pipeline. 2019-07-24 17:40:31 -07:00
hotspots.py views: Fix imports of REQ/has_request_variables from the wrong place. 2017-10-27 15:07:31 -07:00
invite.py decorator: Refactor @require_non_guest_human_user decorator. 2019-06-18 17:11:58 -07:00
messages.py search: Reimplement ts_locs_array in pure PostgreSQL. 2019-08-28 17:59:12 -07:00
muting.py cleanup: Delete leading newlines. 2019-08-06 23:29:11 -07:00
pointer.py cleanup: Delete leading newlines. 2019-08-06 23:29:11 -07:00
presence.py cleanup: Delete leading newlines. 2019-08-06 23:29:11 -07:00
push_notifications.py views: Remove unused imports. 2019-02-02 17:23:43 -08:00
reactions.py views: Remove unused imports. 2019-02-02 17:23:43 -08:00
realm.py zerver: Accept HEAD requests wherever GET requests are accepted. 2019-08-12 16:47:41 -07:00
realm_domains.py lint: Fix calls to _() on computed strings. 2019-04-23 15:23:03 -07:00
realm_emoji.py openapi: Fix handling of parameters passed via the URL/path. 2019-08-19 15:06:08 -07:00
realm_export.py data export: Add limits on exporting large organizations. 2019-08-12 18:21:09 -07:00
realm_filters.py views: Remove unused imports. 2019-02-02 17:23:43 -08:00
realm_icon.py zerver/views: Use python 3 syntax for typing. 2017-10-26 21:58:22 -07:00
realm_logo.py realm_logo: Remove redundant `realm_logo_url` function. 2019-08-20 12:07:20 -07:00
registration.py get_realm: raise DoesNotExist instead of returning None. 2019-05-06 21:58:16 -07:00
report.py settings: Unset STATIC_ROOT in development. 2019-07-24 17:40:31 -07:00
storage.py views: Remove unused imports. 2019-02-02 17:23:43 -08:00
streams.py openapi: Fix handling of parameters passed via the URL/path. 2019-08-19 15:06:08 -07:00
submessage.py views: Remove unused imports. 2019-02-02 17:23:43 -08:00
thumbnail.py views: Remove unused imports. 2019-02-02 17:23:43 -08:00
tutorial.py cleanup: Delete leading newlines. 2019-08-06 23:29:11 -07:00
typing.py request: Remove ExtractRecipients type safety hole on REQ. 2019-08-07 15:26:59 -07:00
unsubscribe.py emails: Move clear_scheduled_*emails to send_email.py. 2019-03-15 11:02:17 -07:00
upload.py CVE-2019-16216: Fix MIME type validation. 2019-09-11 15:46:36 -07:00
user_groups.py api: Remove spammy json_success content for edit_user_group. 2019-07-09 13:04:47 -07:00
user_settings.py notifications: Allow only notifiable in unread count. 2019-07-13 15:49:04 -07:00
users.py settings: Add FAKE_EMAIL_DOMAIN setting. 2019-08-30 14:59:00 -07:00
video_calls.py compose: Add support for using Zoom as the video chat provider. 2019-01-07 10:00:02 -08:00
zephyr.py zephyr: Fix typing for cred parameter. 2019-07-29 15:23:10 -07:00