Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/zerver
History
Tim Abbott e3a4aeeffa CVE-2020-9445: Remove unused and insecure modal_link feature. 
Zulip's modal_link markdown feature has not been used since 2017; it
was a hack used for a 2013-era tutorial feature and was never used
outside that use case.

Unfortunately, it's sloppy implementation was exposed in the markdown
processor for all users, not just the tutorial use case.

More importantly, it was buggy, in that it did not validate the link
using the standard validation approach used by our other code
interacting with links.

The right solution is simply to remove it.
 		2020-04-01 14:01:45 -07:00
..
data_import text: Fix some typos (most of them found and fixed by codespell). 2020-03-27 17:25:56 -07:00
lib CVE-2020-9445: Remove unused and insecure modal_link feature. 2020-04-01 14:01:45 -07:00
management text: Fix some typos (most of them found and fixed by codespell). 2020-03-27 17:25:56 -07:00
migrations migrations: Refactor the enum type fields. 2020-03-27 00:21:21 -07:00
openapi openapi: Use response schema for describing simple success response. 2020-03-29 19:25:14 +05:30
templatetags openapi: Pass api_url to curl example generation. 2019-08-17 11:35:08 -07:00
tests CVE-2020-9445: Remove unused and insecure modal_link feature. 2020-04-01 14:01:45 -07:00
tornado messages: Return shallow copy of message object. 2020-03-29 15:12:27 -07:00
views version: Move minimum desktop version configuration to version.py. 2020-04-01 13:23:08 -07:00
webhooks text: Fix some typos (most of them found and fixed by codespell). 2020-03-27 17:25:56 -07:00
worker emails: Added placeholders strings in FormAddress. 2020-03-27 16:41:02 -07:00
__init__.py
apps.py cleanup: Delete leading newlines. 2019-08-06 23:29:11 -07:00
context_processors.py decorators: Restructure get_client_name interface. 2020-03-08 14:19:50 -07:00
decorator.py rate_limit: Move functions called by external code to RateLimitedObject. 2020-03-22 18:42:35 -07:00
filters.py cleanup: Delete leading newlines. 2019-08-06 23:29:11 -07:00
forms.py rate_limit: Remove __str__ methods of RateLimitedObjects. 2020-03-22 18:42:35 -07:00
logging_handlers.py version: Only let `git describe` match tags beginning with a digit. 2019-10-24 14:54:45 -07:00
middleware.py middleware: Log <user.id>@subdomain instead of subdomain/<user.id>. 2020-03-24 10:25:01 -07:00
models.py text: Fix some typos (most of them found and fixed by codespell). 2020-03-27 17:25:56 -07:00
signals.py emails: Translate from_name of account security emails. 2020-02-18 17:45:33 -08:00