Update changelog for Zulip 1.4.3 release.

A bug in Zulip's implementation of the "stream exists" endpoint meant
that any user of a Zulip server could subscribe to an invite-only
stream without needing to be invited by using the "autosubscribe"
argument.

Thanks to Rafid Aslam for discovering this issue.

docs/changelog.md

@@ -4,6 +4,22 @@ All notable changes to the Zulip server are documented in this file.
 
 ### Unreleased
 
+### 1.4.3 - 2017-01-29
+- CVE-2017-0881: Users could subscribe to invite-only streams.
+
+### 1.4.2 - 2016-09-27
+- Upgraded Django to version 1.8.15 (with the Zulip patches applied),
+  fixing a CSRF vulnerability in Django (see
+  https://www.djangoproject.com/weblog/2016/sep/26/security-releases/),
+  and a number of other Django bugs from past Django stable releases
+  that largely affects parts of Django that are not used by Zulip.
+- Fixed buggy logrotate configuration.
+
+### 1.4.1 - 2016-09-03
+- Fixed settings bug upgrading from pre-1.4.0 releases to 1.4.0.
+- Fixed local file uploads integration being broken for new 1.4.0
+  installations.
+
 ### 1.4 - 2016-08-25
 
 - Migrated Zulip's python dependencies to be installed via a virtualenv,

puppet/zulip/files/logrotate/zulip

@@ -1,7 +1,7 @@
 /var/log/zulip/server.log /var/log/zulip/workers.log /var/log/zulip/manage.log {
 	missingok
 	rotate 10
-	size 1GB
+	size 1G
 	compress
 	delaycompress
 	notifempty

requirements/common.txt

@@ -1,6 +1,6 @@
 -r ipython.txt
 # Django itself; we use a slightly patched version
-git+https://github.com/zulip/truncated-django.git
+git+https://github.com/zulip/truncated-django-1.8.15.git@cbf4fa3aef1b17f37d75a70e57f9b69a0f99ed5c#egg=Django==1.8.15
 
 GitPython==0.3.2.1
 

tools/travis/success-http-headers.txt

@@ -24,7 +24,6 @@ Reusing existing connection to localhost:443.
   Content-Type: text/html; charset=utf-8
   Transfer-Encoding: chunked
   Connection: keep-alive
-  Cache-Control: max-age=0
   Strict-Transport-Security: max-age=15768000
 Length: unspecified [text/html]
 Saving to: ‘/tmp/index.html’

zerver/tests/test_subs.py

@@ -1501,6 +1501,29 @@ class SubscriptionAPITest(ZulipTestCase):
         self.assertIn("exists", json)
         self.assertTrue(json["exists"])
 
+    def test_existing_subscriptions_autosubscription_private_stream(self):
+        # type: () -> None
+        """Call /json/subscriptions/exist on an existing private stream with
+        autosubscribe should fail.
+        """
+        stream_name = "Saxony"
+        result = self.common_subscribe_to_streams("cordelia@zulip.com", [stream_name],
+                                                  invite_only=True)
+        stream = get_stream(stream_name, self.realm)
+
+        result = self.client_post("/json/subscriptions/exists",
+                                  {"stream": stream_name, "autosubscribe": True})
+        self.assert_json_success(result)
+        json = ujson.loads(result.content)
+        self.assertIn("exists", json)
+        self.assertTrue(json["exists"])
+        self.assertIn("subscribed", json)
+        # Importantly, we are not now subscribed
+        self.assertFalse(json["subscribed"])
+        self.assertEqual(Subscription.objects.filter(
+            recipient__type=Recipient.STREAM,
+            recipient__type_id=stream.id).count(), 1)
+
     def get_subscription(self, user_profile, stream_name):
         # type: (UserProfile, text_type) -> Subscription
         stream = Stream.objects.get(realm=self.realm, name=stream_name)

zerver/views/streams.py

@@ -447,7 +447,7 @@ def stream_exists_backend(request, user_profile, stream_name, autosubscribe):
     result = {"exists": bool(stream)}
     if stream is not None:
         recipient = get_recipient(Recipient.STREAM, stream.id)
-        if autosubscribe:
+        if not stream.invite_only and autosubscribe:
             bulk_add_subscriptions([stream], [user_profile])
         result["subscribed"] = Subscription.objects.filter(user_profile=user_profile,
                                                            recipient=recipient,