zulip/zerver/lib
Alex Vandiver 2f6c5a883e CVE-2023-22735: Provide the Content-Disposition header from S3.
The Content-Type of user-provided uploads was provided by the browser
at initial upload time, and stored in S3; however, 04cf68b45e
switched to determining the Content-Disposition merely from the
filename.  This makes uploads vulnerable to a stored XSS, wherein a
file uploaded with a content-type of `text/html` and an extension of
`.png` would be served to browsers as `Content-Disposition: inline`,
which is unsafe.

The `Content-Security-Policy` headers in the previous commit mitigate
this, but only for browsers which support them.

Revert parts of 04cf68b45e, specifically by allowing S3 to provide
the Content-Disposition header, and using the
`ResponseContentDisposition` argument when necessary to override it to
`attachment`.  Because we expect S3 responses to vary based on this
argument, we include it in the cache key; since the query parameter
has dashes in it, we can't use use the helper `$arg_` variables, and
must parse it from the query parameters manually.

Adding the disposition may decrease the cache hit rate somewhat, but
downloads are infrequent enough that it is unlikely to have a
noticeable effect.  We take care to not adjust the cache key for
requests which do not specify the disposition.
2023-02-07 17:09:52 +00:00
..
markdown help: Improve relative settings links for documentation on bots. 2023-02-06 15:06:15 -08:00
upload CVE-2023-22735: Provide the Content-Disposition header from S3. 2023-02-07 17:09:52 +00:00
url_preview ruff: Fix RSE102 Unnecessary parentheses on raised exception. 2023-02-04 16:34:55 -08:00
webhooks ruff: Fix SIM102 nested `if` statements. 2023-01-23 11:18:36 -08:00
__init__.py
addressee.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
alert_words.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
async_utils.py requirements: Upgrade Python requirements. 2022-05-03 10:10:06 -07:00
attachments.py
avatar.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
avatar_hash.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
bot_config.py bot_config: Placate mypy 0.930. 2021-12-28 09:31:55 -08:00
bot_lib.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
bot_storage.py
bulk_create.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
cache.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
cache_helpers.py typing: Import ValuesQuerySet alias from django_stubs_ext. 2022-10-05 16:15:56 -07:00
camo.py typing: Apply trivial none-checks with assertions as necessary. 2022-06-23 19:25:48 -07:00
ccache.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
compatibility.py ruff: Fix DTZ004 `datetime.datetime.utcfromtimestamp()`. 2023-01-04 16:25:07 -08:00
context_managers.py
create_user.py python: Clean up getattr, setattr, delattr calls with literal names. 2022-10-10 08:40:28 -07:00
data_types.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
db.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
debug.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
dev_ldap_directory.py tests: Update tests to use example profile picture. 2022-10-31 14:36:54 -07:00
digest.py ruff: Fix C414 Unnecessary `list` call within `sorted()`. 2022-11-03 12:10:15 -07:00
display_recipient.py typing: Import ValuesQuerySet alias from django_stubs_ext. 2022-10-05 16:15:56 -07:00
domains.py
drafts.py typing: Remove ViewFuncT. 2022-08-22 15:46:16 -07:00
email_mirror.py email_mirror: Ensure that attachments get space to be included. 2023-01-24 13:22:13 -08:00
email_mirror_helpers.py
email_notifications.py emails: Improve followup_day1 (registration confirmation) email. 2023-02-02 17:16:43 -08:00
email_validation.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
emoji.py emoji: Disallow `.` in custom emoji names. 2023-01-31 17:28:33 -08:00
error_notify.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
event_schema.py ruff: Fix SIM118 Use `key in dict` instead of `key in dict.keys()`. 2023-01-04 16:25:07 -08:00
events.py ruff: Fix RSE102 Unnecessary parentheses on raised exception. 2023-02-04 16:34:55 -08:00
exceptions.py exceptions: Accept lazy translation as JsonableError argument. 2023-02-03 16:36:54 -08:00
export.py ruff: Fix SIM300 Yoda conditions are discouraged. 2023-02-03 16:36:54 -08:00
external_accounts.py typing: Import StrPromise alias from django_stubs_ext. 2022-10-05 16:15:56 -07:00
fix_unreads.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
generate_test_data.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
github.py ruff: Fix RSE102 Unnecessary parentheses on raised exception. 2023-02-04 16:34:55 -08:00
home.py ruff: Fix SIM118 Use `key in dict` instead of `key in dict.keys()`. 2023-01-04 16:25:07 -08:00
hotspots.py ruff: Fix SIM118 Use `key in dict` instead of `key in dict.keys()`. 2023-01-04 16:25:07 -08:00
html_diff.py html_diff: Handle empty differences between empty strings. 2021-10-18 18:27:40 -07:00
html_to_text.py
i18n.py django: Use HttpRequest.headers. 2022-05-13 20:42:20 -07:00
import_realm.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
initial_password.py initial_password: Add explicit development environment assertion. 2022-03-21 12:05:59 -07:00
integrations.py ruff: Fix C417 Unnecessary `map` usage. 2022-11-03 12:10:15 -07:00
logging_util.py ruff: Fix SIM105 Use `contextlib.suppress` instead of try-except-pass. 2023-01-23 11:18:36 -08:00
management.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
mdiff.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
mention.py markdown: Update characters allowed before @ and stream mentions. 2022-08-06 19:29:39 -07:00
message.py ruff: Fix RSE102 Unnecessary parentheses on raised exception. 2023-02-04 16:34:55 -08:00
migrate.py
mobile_auth_otp.py
name_restrictions.py name_restrictions: Add your-org.zulipchat.com as a reserved name. 2022-05-17 14:58:31 -07:00
narrow.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
notes.py notes: Separate __notes_map per-subclass. 2022-10-10 08:42:13 -07:00
notification_data.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
onboarding.py create_user: Use transaction.atomic decorator for do_create_user. 2023-01-26 10:49:19 -08:00
outgoing_http.py python: Replace requests.packages.urllib3 alias with urllib3. 2022-01-23 22:14:17 -08:00
outgoing_webhook.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
presence.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
profile.py profile: Strengthen decorator types using ParamSpec. 2022-04-14 12:44:35 -07:00
push_notifications.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
pysa.py
queue.py ruff: Fix G004 Logging statement uses f-string. 2023-02-04 16:36:20 -08:00
rate_limiter.py ruff: Fix RSE102 Unnecessary parentheses on raised exception. 2023-02-04 16:34:55 -08:00
realm_description.py
realm_icon.py
realm_logo.py realm: Rename plan type constants to be more descriptive. 2021-10-19 12:20:39 -07:00
recipient_users.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
redis_utils.py
remote_server.py remote_server: Check for missing ZULIP_ORG_ID, ZULIP_ORG_KEY. 2023-01-04 11:08:56 -08:00
request.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
response.py do_mark_all_as_read: Split up the work into batches. 2022-10-27 16:59:54 -07:00
rest.py ruff: Fix RSE102 Unnecessary parentheses on raised exception. 2023-02-04 16:34:55 -08:00
retention.py ruff: Fix SIM118 Use `key in dict` instead of `key in dict.keys()`. 2023-01-04 16:25:07 -08:00
safe_session_cached_db.py session: Enforce that changes cannot happen in a transaction. 2022-03-15 13:52:15 -07:00
scim.py mypy: Enable redundant-expr errors. 2022-06-23 19:22:12 -07:00
scim_filter.py scim: Order Users by id when queried using filter syntax. 2021-11-26 16:06:16 -08:00
send_email.py ruff: Fix SIM105 Use `contextlib.suppress` instead of try-except-pass. 2023-01-23 11:18:36 -08:00
server_initialization.py realms: Create default system user groups for internal realm. 2022-08-11 04:38:36 -07:00
sessions.py typing: Add none-checks for miscellaneous cases. 2022-05-31 09:43:55 -07:00
singleton_bmemcached.py cache: Instantiate only one BMemcached cache backend. 2022-05-02 17:41:49 -07:00
soft_deactivation.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
sounds.py actions: Split out zerver.lib.sounds. 2022-04-14 14:26:40 -07:00
sqlalchemy_utils.py sqlalchemy_utils: Remove NonClosingPool.recreate override. 2022-02-10 11:59:41 -08:00
storage.py storage: Fix type annotation of content. 2022-07-27 13:46:13 -07:00
stream_color.py streams: Extract stream_color library. 2022-03-14 18:01:36 -07:00
stream_subscription.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
stream_topic.py stream_topic: Refactor user_ids_muting_topic. 2022-09-27 17:18:48 -07:00
stream_traffic.py streams: Extract stream_traffic library. 2022-03-14 18:01:36 -07:00
streams.py streams: Allow setting can_remove_subscribers_group_id while creating streams. 2023-02-05 14:46:36 -08:00
string_validation.py email_mirror: Replace disallowed characters in incoming email subject. 2022-08-22 17:16:20 -07:00
subdomains.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
subscription_info.py ruff: Fix SIM102 nested `if` statements. 2023-01-23 11:18:36 -08:00
templates.py api-docs: Move markdown files to top level directory. 2023-02-02 17:25:40 -08:00
test_classes.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
test_console_output.py ruff: Fix N818 exception name should be named with an Error suffix. 2022-11-17 16:52:00 -08:00
test_data.source.txt
test_fixtures.py ruff: Fix ANN204 missing return type annotation for __init__. 2022-11-16 09:29:11 -08:00
test_helpers.py requirements: Upgrade Python requirements. 2023-02-03 16:36:54 -08:00
test_runner.py avatars: Serve /user_avatars/ through Django, which offloads to nginx. 2023-01-09 18:23:58 -05:00
tex.py python: Replace universal_newlines with text. 2022-01-23 22:16:01 -08:00
thumbnail.py docs: Remove some outdated references to thumbnailing.md doc. 2022-07-12 17:44:24 -07:00
timeout.py ruff: Fix N818 exception name should be named with an Error suffix. 2022-11-17 16:52:00 -08:00
timestamp.py ruff: Fix N818 exception name should be named with an Error suffix. 2022-11-17 16:52:00 -08:00
timezone.py timezone: Improve tzdata parser’s compatibility with zic(8). 2022-09-20 16:58:31 -07:00
topic.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
transfer.py uploads: Add LOCAL_AVATARS_DIR / LOCAL_FILES_DIR computed settings. 2023-01-09 18:23:58 -05:00
types.py ruff: Fix PIE790 Unnecessary `pass` statement. 2023-01-04 16:25:07 -08:00
unminify.py
url_encoding.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
url_redirects.py help: Add redirect for `help/configure-default-view`. 2023-02-01 06:10:14 -08:00
user_agent.py
user_counts.py actions: Split out zerver.lib.user_counts. 2022-04-14 17:14:30 -07:00
user_groups.py streams: Allow changing can_remove_subscribers_group through API. 2023-02-05 14:46:36 -08:00
user_message.py actions: Split out zerver.lib.user_message. 2022-04-14 17:14:30 -07:00
user_mutes.py
user_status.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
user_topics.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
users.py ruff: Fix RSE102 Unnecessary parentheses on raised exception. 2023-02-04 16:34:55 -08:00
utils.py
validator.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
widget.py
zcommand.py actions: Split out zerver.actions.user_settings. 2022-04-14 17:14:34 -07:00
zephyr.py