This prevents a development-mode-only directory traversal attack,
where the Django development server could be made to respond to
requests for `/user_avatars/../../../../../../etc/passwd`.
The production server is not affected by this vulnerability, as
nginx's configuration sets `PATH_INFO` to `$document_uri`, which is
normalized[^1] -- that is, by the time uwsgi and Django see it, the path
has been percent-decoded once, and all `../` path components have been
applied[^2].
Close this by explicitly normalizing the paths before comparing; the
`LOCAL_UPLOADS_DIR` side is unlikely to require normalization as well,
but is also normalized for consistency. The failure here is left as
an assertion failure, and not a JsonableError, because it only affects
the development server.
[^1]: https://nginx.org/en/docs/http/ngx_http_core_module.html#var_uri
[^2]: https://nginx.org/en/docs/http/ngx_http_core_module.html#location
Updates the logic for getting the typists for a specific direct
message conversation to mirror narrow_state.set_compose_defaults
for the current filter's "dm" narrow term.
In Django, when cleaning a form field, all validators are run on
the field and all validation error messages are all collected.
Updates our test for invalid email addresses when creating a new
realm to confirm all expected error messages from the various
validators that are run on that field.
In commit c7a08f3b77, we started setting the realm_creation field
in both the RegistrationForm and its superclass, RealmDetailsForm,
which was likely a copy and paste error.
Since we only need to set the realm_creation field once when
initializing the form fields, we set it in the RealmDetailsForm,
which also removes any confusion related to the comment about
removing extra kwargs in the RegistrationForm initialization.
Systems upgrading from 11.x will have 0753 and not 0752, while systems
upgrading from main may have 0752 and not 0753, so a merge migration
is required to smoothly handle upgrades from both states.
The logic for inserting bookend when prepending messages was
missing.
Fixed by inserting the bookend at the correct position.
Reproducer:
Modify `message_fetch` parameters to only fetch
one message per fetch to ensure that each message is prepended.
Subscribe to a channel and send a message.
Reload.
Bookend is absent before the latest message without this commit.
The top margin for the submit button on `create_realm.html` is
set by the '#new-realm-creation .register-button' rule in
`portico_signin.css`.
Removes the redundant margin-top rules for new-organization-button
class that are not used.
In commit 7afbc9d, the button to create a new organization in
`templates/zerver/create_realm.html` was changed from an input
element to a button element.
Removes CSS rule that's been unused since that change.
Since we are checking `is_in_focus()` of recent and inbox view,
message_lists.current can be not defined here, also addition
a new view in Zulip will make this fail.
This clarifies which Slack bot token scopes the integration really uses.
Extraneous scopes are: `users:read.email`, `team:read`, and
`emoji:read`.
Fixes part of #30827.
Slack attachment urls with white spaces,
e.g. `https://example.com/some file.png`,
were rejected by `check_url`. We want to call `requote_url` to deal with
any url-quoting jankiness that may be present in the exported data.
1. `call` is a block type we've observed in the wild in a Slack export,
despite not being documented in
https://docs.slack.dev/reference/block-kit/blocks/
2. We already have the logic for converting `condition` block type below
in the function, but it was erroneously missing from the list of valid
types.
The user associated to a pull request is always its creator, however,
when closing a pull request, this can be the wrong actor. The paylod
contains the actor in the `sender` value, use this instead.
Sometimes this selector was catching a second
`emoji-message-control-button-container` from an emoji reaction,
which was only caught once we started using `util.the`. This
change avoids catching that irrelevant element.
Django's Model.EmailField's default max_length is 254 characters,
while the Form.EmailField's default max length is 320 characters.
The longer valid length for form email fields raises an error
when an email with over 254 characters is validated and the server
attempts to create a preregistration user or realm.
Sets the max length on current form EmailFields to match the max
length on corresponding email fields in the database.
For the form MultiEmailField used on the find account/team page,
we don't need to set the max length to 254, but we don't expect
any emails longer than that to match any existing user accounts.
Adds tests in `zerver/tests/test_signup.py` for form submissions
with long email addresses.
