registration: Check realm against PreregistrationUser realm.

We would allow a user with a valid invitation for one realm to use it on a different realm instead. On a server with multiple realms, an authorized user of one realm could use this (by sending invites to other email addresses they control) to create accounts on other realms. (CVE-2017-0910) With this commit, when sending an invitation, we record the inviting user's realm on the PreregistrationUser row; and when registering a user, we check that the PregistrationUser realm matches the realm the user is trying to register on. This resolves CVE-2017-0910 for newly-sent invitations; the next commit completes the fix. [greg: rewrote commit message]
2025-11-13 02:17:19 +00:00 · 2017-11-08 21:02:59 +00:00
parent 4eb958b6d8
commit 28a3dcf787
4 changed files with 28 additions and 9 deletions
--- a/zerver/lib/actions.py
+++ b/zerver/lib/actions.py
@@ -3723,7 +3723,8 @@ def do_invite_users(user_profile, invitee_emails, streams, body=None):
    # the PreregistrationUser objects and trigger the email invitations.
    for email in validated_emails:
        # The logged in user is the referrer.
-        prereg_user = PreregistrationUser(email=email, referred_by=user_profile)
+        prereg_user = PreregistrationUser(email=email, referred_by=user_profile,
+                                          realm=user_profile.realm)

        prereg_user.save()
        stream_ids = [stream.id for stream in streams]