Update changelog for Zulip 1.4.3 release.

streams: Fix autosubscribe security bug (CVE-2017-0881).
A bug in Zulip's implementation of the "stream exists" endpoint meant that any user of a Zulip server could subscribe to an invite-only stream without needing to be invited by using the "autosubscribe" argument. Thanks to Rafid Aslam for discovering this issue.
2025-10-31 03:53:50 +00:00 · 2017-01-29 15:09:02 -08:00 · 2017-01-29 15:09:02 -08:00 · 2016-09-27 20:09:20 -07:00 · 2016-09-27 20:09:20 -07:00 · 2016-09-27 20:01:17 -07:00
8 changed files with 51 additions and 5 deletions
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -4,6 +4,22 @@ All notable changes to the Zulip server are documented in this file.

 ### Unreleased

+### 1.4.3 - 2017-01-29
+- CVE-2017-0881: Users could subscribe to invite-only streams.
+
+### 1.4.2 - 2016-09-27
+- Upgraded Django to version 1.8.15 (with the Zulip patches applied),
+  fixing a CSRF vulnerability in Django (see
+  https://www.djangoproject.com/weblog/2016/sep/26/security-releases/),
+  and a number of other Django bugs from past Django stable releases
+  that largely affects parts of Django that are not used by Zulip.
+- Fixed buggy logrotate configuration.
+
+### 1.4.1 - 2016-09-03
+- Fixed settings bug upgrading from pre-1.4.0 releases to 1.4.0.
+- Fixed local file uploads integration being broken for new 1.4.0
+  installations.
+
 ### 1.4 - 2016-08-25

 - Migrated Zulip's python dependencies to be installed via a virtualenv,
--- a/puppet/zulip/files/logrotate/zulip
+++ b/puppet/zulip/files/logrotate/zulip
@@ -1,7 +1,7 @@
 /var/log/zulip/server.log /var/log/zulip/workers.log /var/log/zulip/manage.log {
 	missingok
 	rotate 10
-	size 1GB
+	size 1G
 	compress
 	delaycompress
 	notifempty
--- a/requirements/common.txt
+++ b/requirements/common.txt
@@ -1,6 +1,6 @@
 -r ipython.txt
 # Django itself; we use a slightly patched version
-git+https://github.com/zulip/truncated-django.git
+git+https://github.com/zulip/truncated-django-1.8.15.git@cbf4fa3aef1b17f37d75a70e57f9b69a0f99ed5c#egg=Django==1.8.15

 GitPython==0.3.2.1

--- a/scripts/lib/upgrade-zulip-stage-2
+++ b/scripts/lib/upgrade-zulip-stage-2
@@ -42,6 +42,14 @@ if not args.skip_puppet:
    subprocess.check_call(["apt-get", "update"])
    subprocess.check_call(["apt-get", "-y", "upgrade"])

+if not os.path.exists((os.path.join(deploy_path, "zproject/prod_settings"))):
+    subprocess.check_call(["ln", "-nsf", "/etc/zulip/settings.py",
+                           os.path.join(deploy_path, "zproject/prod_settings.py")])
+
+# delete local_settings.py symlink if it exists, as it is now prod_settings.py
+if os.path.exists((os.path.join(deploy_path, "zproject/local_settings.py"))):
+    subprocess.check_call(["rm", os.path.join(deploy_path, "zproject/local_settings.py")])
+
 subprocess.check_call([os.path.join(deploy_path, "scripts", "lib", "create-production-venv"),
                       os.path.join(deploy_path, "zulip-venv")])

--- a/tools/travis/success-http-headers.txt
+++ b/tools/travis/success-http-headers.txt
@@ -24,7 +24,6 @@ Reusing existing connection to localhost:443.
  Content-Type: text/html; charset=utf-8
  Transfer-Encoding: chunked
  Connection: keep-alive
-  Cache-Control: max-age=0
  Strict-Transport-Security: max-age=15768000
 Length: unspecified [text/html]
 Saving to: ‘/tmp/index.html’
--- a/zerver/tests/test_subs.py
+++ b/zerver/tests/test_subs.py
@@ -1501,6 +1501,29 @@ class SubscriptionAPITest(ZulipTestCase):
        self.assertIn("exists", json)
        self.assertTrue(json["exists"])

+    def test_existing_subscriptions_autosubscription_private_stream(self):
+        # type: () -> None
+        """Call /json/subscriptions/exist on an existing private stream with
+        autosubscribe should fail.
+        """
+        stream_name = "Saxony"
+        result = self.common_subscribe_to_streams("cordelia@zulip.com", [stream_name],
+                                                  invite_only=True)
+        stream = get_stream(stream_name, self.realm)
+
+        result = self.client_post("/json/subscriptions/exists",
+                                  {"stream": stream_name, "autosubscribe": True})
+        self.assert_json_success(result)
+        json = ujson.loads(result.content)
+        self.assertIn("exists", json)
+        self.assertTrue(json["exists"])
+        self.assertIn("subscribed", json)
+        # Importantly, we are not now subscribed
+        self.assertFalse(json["subscribed"])
+        self.assertEqual(Subscription.objects.filter(
+            recipient__type=Recipient.STREAM,
+            recipient__type_id=stream.id).count(), 1)
+
    def get_subscription(self, user_profile, stream_name):
        # type: (UserProfile, text_type) -> Subscription
        stream = Stream.objects.get(realm=self.realm, name=stream_name)
--- a/zerver/views/streams.py
+++ b/zerver/views/streams.py
@@ -447,7 +447,7 @@ def stream_exists_backend(request, user_profile, stream_name, autosubscribe):
    result = {"exists": bool(stream)}
    if stream is not None:
        recipient = get_recipient(Recipient.STREAM, stream.id)
-        if autosubscribe:
+        if not stream.invite_only and autosubscribe:
            bulk_add_subscriptions([stream], [user_profile])
        result["subscribed"] = Subscription.objects.filter(user_profile=user_profile,
                                                           recipient=recipient,
--- a/zproject/prod_settings_template.py
+++ b/zproject/prod_settings_template.py
@@ -155,7 +155,7 @@ INLINE_IMAGE_PREVIEW = True
 # https://github.com/zulip/zulip/issues/291 for discussion of a better
 # solution that won't be automatically reverted by the Zulip upgrade
 # script), and then restart nginx.
-LOCAL_UPLOADS_DIR = "/home/zulip/var/uploads"
+LOCAL_UPLOADS_DIR = "/home/zulip/uploads"
 #S3_AUTH_UPLOADS_BUCKET = ""
 #S3_AVATAR_BUCKET = ""
Author	SHA1	Message	Date
Tim Abbott	a063dd3b26	Update changelog for Zulip 1.4.3 release.	2017-01-29 15:09:02 -08:00
Tim Abbott	1cdd451d70	streams: Fix autosubscribe security bug (CVE-2017-0881). A bug in Zulip's implementation of the "stream exists" endpoint meant that any user of a Zulip server could subscribe to an invite-only stream without needing to be invited by using the "autosubscribe" argument. Thanks to Rafid Aslam for discovering this issue.	2017-01-29 15:09:02 -08:00
Tim Abbott	8cc7642cdd	Update changelog for Zulip 1.4.1 and 1.4.2 releases.	2016-09-27 20:09:20 -07:00
Tim Abbott	6883c916af	Upgrade Django to 1.8.15 with Zulip patches.	2016-09-27 20:09:20 -07:00
Tim Abbott	978a568c0f	puppet: Fix buggy logrotate configuration.	2016-09-27 20:01:17 -07:00
Steve Howell	f6975f9334	Upgrade: revert change to default LOCAL_UPLOADS_DIR in prod settings. The main purpose of the "var" convention is to make it easy to write stuff inside of our git repo when running a dev instance, and then "var" gets excluded from checkins. For production, that's not as much of a concern. For upgrades we don't want to be changing the directory around and confusing matters, especially with the extra moving part of nginx configs (which have their own issues in terms of being overwritten by accident when admins go to S3).	2016-09-02 12:30:29 -07:00
Christie Koehler	0120ff5612	upgrade: Create prod_settings symlink in step 2 if it doesn't exist. Between releases 1.3.13 and 1.4.0, local_settings.py was renamed to prod_settings.py. The upgrade scripts were adjusted to reflect this name change. But because the first part of the upgrade script is run with the currently installed version's code, the symlink to /etc/zulip/settings.py is created with the old name. This was causing upgrade-zulip-stage-2 to fail. Now upgrade-zulip-stage-2 creates the symlink at zproject/prod_settings.py if it doesn't already exist. Fixes #1731.	2016-09-01 21:17:11 -07:00