Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/zerver
History
Vishnu Ks 985768b2fd registration: Check realm against PreregistrationUser realm. 
We would allow a user with a valid invitation for one realm to use it
on a different realm instead.  On a server with multiple realms, an
authorized user of one realm could use this (by sending invites to
other email addresses they control) to create accounts on other
realms. (CVE-2017-0910)

With this commit, when sending an invitation, we record the inviting
user's realm on the PreregistrationUser row; and when registering a
user, we check that the PregistrationUser realm matches the realm the
user is trying to register on.  This resolves CVE-2017-0910 for
newly-sent invitations; the next commit completes the fix.

[greg: rewrote commit message]
 		2017-11-27 14:58:26 -08:00
..
fixtures markdown: Hide URL if message is only an image. 2017-11-27 13:30:18 -08:00
lib registration: Check realm against PreregistrationUser realm. 2017-11-27 14:58:26 -08:00
management requirements: Upgrade mypy to 0.550. 2017-11-25 10:06:27 -08:00
migrations models: Add signup_notifications_stream attribute to Realm. 2017-11-21 17:39:50 -08:00
templatetags markdown processor: Exclude some files from macro substitution. 2017-11-22 10:29:07 -08:00
tests registration: Check realm against PreregistrationUser realm. 2017-11-27 14:58:26 -08:00
tornado queue processor tests: Call consume by default. 2017-11-26 11:45:34 -08:00
views registration: Check realm against PreregistrationUser realm. 2017-11-27 14:58:26 -08:00
webhooks webhooks/bitbucket2: Ignore push events with no changes. 2017-11-26 17:03:07 -08:00
worker actions: Mark all messages as read when user unsubscribes from stream. 2017-11-21 20:09:17 -08:00
__init__.py
apps.py python: Sort imports in easy files in zerver/. 2017-11-15 15:50:28 -08:00
context_processors.py settings: Remove ABOUT_LINK_DISABLED. 2017-11-16 21:15:24 -08:00
decorator.py Don't use force_bytes() in decorator.py. 2017-11-09 10:43:19 -08:00
filters.py python: Sort imports in easy files in zerver/. 2017-11-15 15:50:28 -08:00
forms.py backend: Make password reset form support multi realm membership. 2017-11-26 15:35:25 -08:00
logging_handlers.py queue processor tests: Call consume by default. 2017-11-26 11:45:34 -08:00
middleware.py queue processor tests: Call consume by default. 2017-11-26 11:45:34 -08:00
models.py models: Replace core team with Realm.INITIAL_PRIVATE_STREAM_NAME. 2017-11-21 17:39:51 -08:00
signals.py email: Fix identification of chrome as safari on ios 2017-11-19 17:07:33 -08:00
static_header.txt
storage.py docs: Update links from codebase to point to ReadTheDocs. 2017-11-16 10:53:49 -08:00