paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-03 13:33:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

streams: Fix autosubscribe security bug (CVE-2017-0881).

Browse Source 
A bug in Zulip's implementation of the "stream exists" endpoint meant
that any user of a Zulip server could subscribe to an invite-only
stream without needing to be invited by using the "autosubscribe"
argument.

Thanks to Rafid Aslam for discovering this issue.
This commit is contained in:
Tim Abbott
2017-01-22 20:22:40 -08:00
parent 8cc7642cdd
commit 1cdd451d70
2 changed files with 24 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
zerver/views/streams.py
View File

@@ -447,7 +447,7 @@ def stream_exists_backend(request, user_profile, stream_name, autosubscribe):
result = {"exists": bool(stream)}
if stream is not None:
recipient = get_recipient(Recipient.STREAM, stream.id)
if autosubscribe:
if not stream.invite_only and autosubscribe:
bulk_add_subscriptions([stream], [user_profile])
result["subscribed"] = Subscription.objects.filter(user_profile=user_profile,
recipient=recipient,