Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/zerver
History
Greg Price e4b4f67b44 subdomains: Tighten search for EXTERNAL_HOST in get_subdomain. 
If a Zulip install at example.org got a request at an HTTP `Host`
like foo.example.org.evil.com (or even foo.example.orgevil.com),
we would accept it as subdomain foo.  This isn't likely to happen
in practice because it shouldn't pass ALLOWED_HOSTS, and it's not
obvious to me that anything untoward could be done with it even
if ALLOWED_HOSTS were set wide open, but if nothing else it
multiplies the cases in analyzing this logic.

The reason we had a loose match like this, I assume, is to allow
the user to come from arbitrary ports -- especially in development.
So tighten the pattern to allow just that, and add some tests for
that behavior and a comment explaining why this complication is
needed.
 		2017-10-27 14:42:24 -07:00
..
fixtures tests: Add a test suite for verifying the mobile push notifs content. 2017-10-06 16:47:27 -07:00
lib subdomains: Tighten search for EXTERNAL_HOST in get_subdomain. 2017-10-27 14:42:24 -07:00
management lint: Fix lines in Python codebase longer than 120 characters. 2017-10-26 17:47:30 -07:00
migrations backend: Allow Administrators to invite new users as admins. 2017-10-27 11:19:38 -07:00
templatetags zerver: Remove the rest of absolute_import. 2017-09-27 10:02:39 -07:00
tests subdomains: Tighten search for EXTERNAL_HOST in get_subdomain. 2017-10-27 14:42:24 -07:00
tornado zerver/tornado: Use python 3 syntax for typing. 2017-10-26 21:58:22 -07:00
views oauth: Find a better name for redirect_to_main_site. 2017-10-27 14:42:24 -07:00
webhooks Rename subject_name in send_message_backend(). 2017-10-27 10:48:11 -07:00
worker lint: Fix lines in Python codebase longer than 125 characters. 2017-10-26 17:36:54 -07:00
__init__.py
apps.py Remove the rest of print_function. 2017-09-27 18:06:47 -07:00
context_processors.py subdomains: Fix some implicit uses of "" for the root subdomain. 2017-10-26 10:29:17 -07:00
decorator.py lint: Wrap many very long lines in the Python codebase. 2017-10-26 17:31:58 -07:00
filters.py zerver: Remove the rest of absolute_import. 2017-09-27 10:02:39 -07:00
forms.py subdomains: Refactor check_subdomain to a clearer interface. 2017-10-26 10:29:17 -07:00
logging_handlers.py tests: Call real consume method of queue processors. 2017-10-26 14:58:03 -07:00
middleware.py tests: Call real consume method of queue processors. 2017-10-26 14:58:03 -07:00
models.py backend: Allow Administrators to invite new users as admins. 2017-10-27 11:19:38 -07:00
signals.py zerver: Remove the rest of absolute_import. 2017-09-27 10:02:39 -07:00
static_header.txt
storage.py zerver: Remove the rest of absolute_import. 2017-09-27 10:02:39 -07:00