paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-02 21:13:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

registration: Check realm against PreregistrationUser realm.

Browse Source 
We would allow a user with a valid invitation for one realm to use it
on a different realm instead.  On a server with multiple realms, an
authorized user of one realm could use this (by sending invites to
other email addresses they control) to create accounts on other
realms. (CVE-2017-0910)

With this commit, when sending an invitation, we record the inviting
user's realm on the PreregistrationUser row; and when registering a
user, we check that the PregistrationUser realm matches the realm the
user is trying to register on.  This resolves CVE-2017-0910 for
newly-sent invitations; the next commit completes the fix.

[greg: rewrote commit message]
This commit is contained in:
Vishnu Ks
2017-11-08 21:02:59 +00:00
committed by Greg Price
parent 4eb958b6d8
commit 28a3dcf787
4 changed files with 28 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
zerver/views/auth.py
View File

@@ -68,7 +68,7 @@ def maybe_send_to_registration(request, email, full_name='', password_required=T
prereg_user = None
if settings.ONLY_SSO:
try:
prereg_user = PreregistrationUser.objects.filter(email__iexact=email).latest("invited_at")
prereg_user = PreregistrationUser.objects.filter(email__iexact=email, realm=realm).latest("invited_at")
except PreregistrationUser.DoesNotExist:
prereg_user = create_preregistration_user(email, request,
password_required=password_required)