This prevents a development-mode-only directory traversal attack,
where the Django development server could be made to respond to
requests for `/user_avatars/../../../../../../etc/passwd`.
The production server is not affected by this vulnerability, as
nginx's configuration sets `PATH_INFO` to `$document_uri`, which is
normalized[^1] -- that is, by the time uwsgi and Django see it, the path
has been percent-decoded once, and all `../` path components have been
applied[^2].
Close this by explicitly normalizing the paths before comparing; the
`LOCAL_UPLOADS_DIR` side is unlikely to require normalization as well,
but is also normalized for consistency. The failure here is left as
an assertion failure, and not a JsonableError, because it only affects
the development server.
[^1]: https://nginx.org/en/docs/http/ngx_http_core_module.html#var_uri
[^2]: https://nginx.org/en/docs/http/ngx_http_core_module.html#location
In Django, when cleaning a form field, all validators are run on
the field and all validation error messages are all collected.
Updates our test for invalid email addresses when creating a new
realm to confirm all expected error messages from the various
validators that are run on that field.
In commit c7a08f3b77, we started setting the realm_creation field
in both the RegistrationForm and its superclass, RealmDetailsForm,
which was likely a copy and paste error.
Since we only need to set the realm_creation field once when
initializing the form fields, we set it in the RealmDetailsForm,
which also removes any confusion related to the comment about
removing extra kwargs in the RegistrationForm initialization.
Systems upgrading from 11.x will have 0753 and not 0752, while systems
upgrading from main may have 0752 and not 0753, so a merge migration
is required to smoothly handle upgrades from both states.
This clarifies which Slack bot token scopes the integration really uses.
Extraneous scopes are: `users:read.email`, `team:read`, and
`emoji:read`.
Fixes part of #30827.
Slack attachment urls with white spaces,
e.g. `https://example.com/some file.png`,
were rejected by `check_url`. We want to call `requote_url` to deal with
any url-quoting jankiness that may be present in the exported data.
1. `call` is a block type we've observed in the wild in a Slack export,
despite not being documented in
https://docs.slack.dev/reference/block-kit/blocks/
2. We already have the logic for converting `condition` block type below
in the function, but it was erroneously missing from the list of valid
types.
The user associated to a pull request is always its creator, however,
when closing a pull request, this can be the wrong actor. The paylod
contains the actor in the `sender` value, use this instead.
Django's Model.EmailField's default max_length is 254 characters,
while the Form.EmailField's default max length is 320 characters.
The longer valid length for form email fields raises an error
when an email with over 254 characters is validated and the server
attempts to create a preregistration user or realm.
Sets the max length on current form EmailFields to match the max
length on corresponding email fields in the database.
For the form MultiEmailField used on the find account/team page,
we don't need to set the max length to 254, but we don't expect
any emails longer than that to match any existing user accounts.
Adds tests in `zerver/tests/test_signup.py` for form submissions
with long email addresses.
The hardcoded content (topic and message) for the screenshot configs are
loaded from `fixtureless_integrations.py`. Add a new
FIXTURELESS_SCREENSHOT_CONFIG_OPTIONAL_FIELDS dict to maintain the
optional fields of fixtureless screenshot configs, and load both into
FIXTURELESS_SCREENSHOT_CONFIG.
This commit does not set any screenshot configs, but only adds the
framework.
This does not include any screenshot configs, just defining the format,
and loading FIXTURELESS_SCREENSHOT_CONFIG from the file.
Co-authored-by: Lauryn Menard <lauryn@zulip.com>
The only callsite of do_export_realm calls `rmtree` on the output
path, which means this symlink is always dangling. Since realms can
also be exported by end-users, following it would always be a race
condition, anyways.
Remove it.
Updates templates/zerver/meta_tags.html to add a rel-canonical
link if REL_CANONICAL_LINK is in the template context dict.
We add REL_CANONICAL_LINK to the documentation context for the
API and integrations documentation pages in all cases. The link
will be self-referencing for the main zulip.com site.
For policies documentation pages, we add REL_CANONICAL_LINK to
the context only when settings.CORPORATE_ENABLED is true, so
that self-hosted servers' policies documentation do not have a
rel-canonical link set.
Part of #35110.
