paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-04 05:53:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2021-43791: Validate confirmation keys in /accounts/register/ codepath.

Browse Source 
A confirmation link takes a user to the check_prereg_key_and_redirect
endpoint, before getting redirected to POST to /accounts/register/. The
problem was that validation was happening in the check_prereg_key_and_redirect
part and not in /accounts/register/ - meaning that one could submit an
expired confirmation key and be able to register.

We fix this by moving validation into /accouts/register/.
This commit is contained in:
Mateusz Mandera
2021-11-29 16:20:59 +01:00
committed by Alex Vandiver
parent a1cd660147
commit a014ef75a3
4 changed files with 56 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
zproject/urls.py
View File

@@ -128,9 +128,9 @@ from zerver.views.registration import (
accounts_home,
accounts_home_from_multiuse_invite,
accounts_register,
check_prereg_key_and_redirect,
create_realm,
find_account,
get_prereg_key_and_redirect,
realm_redirect,
)
from zerver.views.report import (
@@ -559,8 +559,8 @@ i18n_urls = [
path("accounts/register/", accounts_register, name="accounts_register"),
path(
"accounts/do_confirm/<confirmation_key>",
check_prereg_key_and_redirect,
name="check_prereg_key_and_redirect",
get_prereg_key_and_redirect,
name="get_prereg_key_and_redirect",
),
path(
"accounts/confirm_new_email/<confirmation_key>",