Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
49,913 Commits 28 Branches 142 Tags 697 MiB
Python 61.2%
TypeScript 15.8%
JavaScript 11.2%
HTML 4%
CSS 3.9%
Other 3.8%
Go to file
Alex Vandiver 2f6c5a883e CVE-2023-22735: Provide the Content-Disposition header from S3. 
The Content-Type of user-provided uploads was provided by the browser
at initial upload time, and stored in S3; however, 04cf68b45e
switched to determining the Content-Disposition merely from the
filename.  This makes uploads vulnerable to a stored XSS, wherein a
file uploaded with a content-type of `text/html` and an extension of
`.png` would be served to browsers as `Content-Disposition: inline`,
which is unsafe.

The `Content-Security-Policy` headers in the previous commit mitigate
this, but only for browsers which support them.

Revert parts of 04cf68b45e, specifically by allowing S3 to provide
the Content-Disposition header, and using the
`ResponseContentDisposition` argument when necessary to override it to
`attachment`.  Because we expect S3 responses to vary based on this
argument, we include it in the cache key; since the query parameter
has dashes in it, we can't use use the helper `$arg_` variables, and
must parse it from the query parameters manually.

Adding the disposition may decrease the cache hit rate somewhat, but
downloads are infrequent enough that it is unlikely to have a
noticeable effect.  We take care to not adjust the cache key for
requests which do not specify the disposition.
 		2023-02-07 17:09:52 +00:00
.github do: Install pynacl in the oneclick job. 2023-01-24 10:33:41 -08:00
.tx provision: Replace transifex-client with new transifex-cli. 2022-12-13 12:34:08 -08:00
.vscode vscode: Recommend remote development extension. 2021-11-03 16:03:46 -07:00
analytics black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
api_docs streams: Allow setting can_remove_subscribers_group_id while creating streams. 2023-02-05 14:46:36 -08:00
confirmation registration: Track create organization page in GA. 2023-02-05 10:24:32 -08:00
corporate ruff: Fix G004 Logging statement uses f-string. 2023-02-04 16:36:20 -08:00
docs docs: Document how LDAP email address changes work (manually). 2023-02-06 15:57:44 -08:00
frontend_tests tooltips: Add support for modifier key conversion for mac-syle keyboards. 2023-02-06 18:41:31 -08:00
help help: Link to https://zulip.com/values/ from supporting-zulip-motivation.md. 2023-01-26 14:46:57 -08:00
locale i18n: Sync latest unbranched translations from Transifex. 2023-01-17 13:20:49 -08:00
pgroonga black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
puppet CVE-2023-22735: Provide the Content-Disposition header from S3. 2023-02-07 17:09:52 +00:00
requirements requirements: Upgrade Python requirements. 2023-02-03 16:36:54 -08:00
scripts requirements: Upgrade Python requirements. 2023-02-03 16:36:54 -08:00
static tooltips: Fix tooltip content alignment for message inline images. 2023-02-06 18:41:31 -08:00
stubs/taint actions: Split out zerver.actions.message_send. 2022-04-14 17:14:34 -07:00
templates index: Remove `Loading...` text from the app loading overlay. 2023-02-03 10:51:39 -08:00
tools node tests: Exclude zjquery_element.js and upload.js. 2023-02-04 19:50:52 -08:00
var/puppeteer puppeteer_tests: Port to TypeScript. 2021-02-22 16:03:10 -08:00
zerver CVE-2023-22735: Provide the Content-Disposition header from S3. 2023-02-07 17:09:52 +00:00
zilencer ruff: Fix RSE102 Unnecessary parentheses on raised exception. 2023-02-04 16:34:55 -08:00
zproject user_mutes: Rename 'muting.py' to 'user_mutes.py'. 2023-02-07 00:23:47 +05:30
.browserslistrc zjsunit: Set browserslist target to current Node for Node tests. 2022-05-04 09:56:07 -07:00
.codecov.yml
.codespellignore contributor docs: Add a page on design discussions. 2022-09-30 12:15:04 -07:00
.editorconfig editorconfig: Restore indent_size = 2 for Markdown. 2021-08-20 23:14:37 -07:00
.eslintignore requirements: Remove Thumbor. 2021-05-06 20:07:32 -07:00
.eslintrc.json eslint: Add root: true. 2023-01-03 13:59:25 -08:00
.gitattributes .gitattributes: Mark *.bmp, *.bson, *.mp3, *.pdf as binary. 2022-02-07 18:51:06 -08:00
.gitignore lint: Replace pycodestyle and pyflakes with ruff. 2022-11-03 12:10:15 -07:00
.gitlint lint: Re-enable imperative-mood checking. 2021-02-23 14:54:07 -08:00
.mailmap mailmap: Add entry for rht. 2022-11-17 00:05:17 -08:00
.npmignore
.prettierignore api-docs: Move markdown files to top level directory. 2023-02-02 17:25:40 -08:00
.pyre_configuration pysa: Update .pyre_configuration to point to typeshed. 2020-09-22 15:44:47 -07:00
.readthedocs.yaml readthedocs: Add a configuration file. 2023-02-03 16:36:54 -08:00
.sonarcloud.properties tools: Configure Zulip to be scannable by SonarCloud. 2020-06-24 12:41:17 -07:00
.yarnrc
CODE_OF_CONDUCT.md contributor docs: Add guidelines on moderating the Zulip community. 2022-12-02 16:57:41 -08:00
CONTRIBUTING.md docs: Remove paragraph about getting help finding issues in contributing. 2023-01-17 14:51:53 -08:00
Dockerfile-postgresql docker: Document the PostgreSQL Dockerfile build steps. 2022-04-26 18:00:00 -07:00
LICENSE license: Move copyright notice from LICENSE to NOTICE. 2021-02-05 09:28:12 -08:00
NOTICE docs: Bump copyright year. 2021-02-05 09:28:15 -08:00
README.md README: Add Ruff badge. 2023-01-04 16:22:12 -08:00
SECURITY.md SECURITY.md: Reorder and make clearer how to subscribe to announcements. 2022-01-07 15:56:26 -08:00
Vagrantfile vagrant: Add Fedora 36 support. 2022-09-08 16:12:59 -07:00
babel.config.js dependencies: Upgrade JavaScript dependencies. 2023-01-04 12:30:04 -08:00
manage.py ruff: Fix SIM102 nested `if` statements. 2023-01-23 11:18:36 -08:00
package.json dependencies: Upgrade JavaScript dependencies. 2023-01-04 12:30:04 -08:00
postcss.config.js css: Replace "night-mode-block" with "dark-theme-block". 2021-11-26 22:03:29 -08:00
prettier.config.js prettier: Disable embedded language formatting for Markdown. 2021-08-20 23:14:37 -07:00
pyproject.toml ruff: Enable logging format rules. 2023-02-04 16:36:20 -08:00
stylelint.config.js yarn: Add package which allows creating css mixins. 2021-12-09 18:15:18 -08:00
tsconfig.json tsconfig: Enable noImplicitOverride. 2021-09-13 10:10:34 -07:00
version.py streams: Allow setting can_remove_subscribers_group_id while creating streams. 2023-02-05 14:46:36 -08:00
webpack.config.ts tooltips: Add hotkey hints support for tooltips. 2023-02-06 18:41:31 -08:00
yarn.lock dependencies: Upgrade JavaScript dependencies. 2023-01-04 12:30:04 -08:00

README.md

Zulip overview

Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful. Fortune 500 companies, leading open source projects, and thousands of other organizations use Zulip every day. Zulip is the only modern team chat app that is designed for both live and asynchronous conversations.

Zulip is built by a distributed community of developers from all around the world, with 74+ people who have each contributed 100+ commits. With over 1000 contributors merging over 500 commits a month, Zulip is the largest and fastest growing open source team chat project.

Come find us on the development community chat!

GitHub Actions build status coverage status Mypy coverage Ruff code style: black code style: prettier GitHub release docs Zulip chat Twitter GitHub Sponsors

Getting started

You may also be interested in reading our blog, and following us on Twitter and LinkedIn.

Zulip is distributed under the Apache 2.0 license.