Compare commits

...

7 Commits
7.3 ... 1.4.3

Author SHA1 Message Date
Tim Abbott
a063dd3b26 Update changelog for Zulip 1.4.3 release. 2017-01-29 15:09:02 -08:00
Tim Abbott
1cdd451d70 streams: Fix autosubscribe security bug (CVE-2017-0881).
A bug in Zulip's implementation of the "stream exists" endpoint meant
that any user of a Zulip server could subscribe to an invite-only
stream without needing to be invited by using the "autosubscribe"
argument.

Thanks to Rafid Aslam for discovering this issue.
2017-01-29 15:09:02 -08:00
Tim Abbott
8cc7642cdd Update changelog for Zulip 1.4.1 and 1.4.2 releases. 2016-09-27 20:09:20 -07:00
Tim Abbott
6883c916af Upgrade Django to 1.8.15 with Zulip patches. 2016-09-27 20:09:20 -07:00
Tim Abbott
978a568c0f puppet: Fix buggy logrotate configuration. 2016-09-27 20:01:17 -07:00
Steve Howell
f6975f9334 Upgrade: revert change to default LOCAL_UPLOADS_DIR in prod settings.
The main purpose of the "var" convention is to make it easy to write stuff
inside of our git repo when running a dev instance, and then "var" gets
excluded from checkins. For production, that's not as much of a concern.
For upgrades we don't want to be changing the directory around and confusing
matters, especially with the extra moving part of nginx configs (which have
their own issues in terms of being overwritten by accident when admins go to
S3).
2016-09-02 12:30:29 -07:00
Christie Koehler
0120ff5612 upgrade: Create prod_settings symlink in step 2 if it doesn't exist.
Between releases 1.3.13 and 1.4.0, local_settings.py was renamed to
prod_settings.py. The upgrade scripts were adjusted to reflect this name
change. But because the first part of the upgrade script is run with the
currently installed version's code, the symlink to /etc/zulip/settings.py is
created with the old name. This was causing upgrade-zulip-stage-2 to fail.

Now upgrade-zulip-stage-2 creates the symlink at zproject/prod_settings.py
if it doesn't already exist.

Fixes #1731.
2016-09-01 21:17:11 -07:00
8 changed files with 51 additions and 5 deletions

View File

@@ -4,6 +4,22 @@ All notable changes to the Zulip server are documented in this file.
### Unreleased
### 1.4.3 - 2017-01-29
- CVE-2017-0881: Users could subscribe to invite-only streams.
### 1.4.2 - 2016-09-27
- Upgraded Django to version 1.8.15 (with the Zulip patches applied),
fixing a CSRF vulnerability in Django (see
https://www.djangoproject.com/weblog/2016/sep/26/security-releases/),
and a number of other Django bugs from past Django stable releases
that largely affects parts of Django that are not used by Zulip.
- Fixed buggy logrotate configuration.
### 1.4.1 - 2016-09-03
- Fixed settings bug upgrading from pre-1.4.0 releases to 1.4.0.
- Fixed local file uploads integration being broken for new 1.4.0
installations.
### 1.4 - 2016-08-25
- Migrated Zulip's python dependencies to be installed via a virtualenv,

View File

@@ -1,7 +1,7 @@
/var/log/zulip/server.log /var/log/zulip/workers.log /var/log/zulip/manage.log {
missingok
rotate 10
size 1GB
size 1G
compress
delaycompress
notifempty

View File

@@ -1,6 +1,6 @@
-r ipython.txt
# Django itself; we use a slightly patched version
git+https://github.com/zulip/truncated-django.git
git+https://github.com/zulip/truncated-django-1.8.15.git@cbf4fa3aef1b17f37d75a70e57f9b69a0f99ed5c#egg=Django==1.8.15
GitPython==0.3.2.1

View File

@@ -42,6 +42,14 @@ if not args.skip_puppet:
subprocess.check_call(["apt-get", "update"])
subprocess.check_call(["apt-get", "-y", "upgrade"])
if not os.path.exists((os.path.join(deploy_path, "zproject/prod_settings"))):
subprocess.check_call(["ln", "-nsf", "/etc/zulip/settings.py",
os.path.join(deploy_path, "zproject/prod_settings.py")])
# delete local_settings.py symlink if it exists, as it is now prod_settings.py
if os.path.exists((os.path.join(deploy_path, "zproject/local_settings.py"))):
subprocess.check_call(["rm", os.path.join(deploy_path, "zproject/local_settings.py")])
subprocess.check_call([os.path.join(deploy_path, "scripts", "lib", "create-production-venv"),
os.path.join(deploy_path, "zulip-venv")])

View File

@@ -24,7 +24,6 @@ Reusing existing connection to localhost:443.
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=0
Strict-Transport-Security: max-age=15768000
Length: unspecified [text/html]
Saving to: /tmp/index.html

View File

@@ -1501,6 +1501,29 @@ class SubscriptionAPITest(ZulipTestCase):
self.assertIn("exists", json)
self.assertTrue(json["exists"])
def test_existing_subscriptions_autosubscription_private_stream(self):
# type: () -> None
"""Call /json/subscriptions/exist on an existing private stream with
autosubscribe should fail.
"""
stream_name = "Saxony"
result = self.common_subscribe_to_streams("cordelia@zulip.com", [stream_name],
invite_only=True)
stream = get_stream(stream_name, self.realm)
result = self.client_post("/json/subscriptions/exists",
{"stream": stream_name, "autosubscribe": True})
self.assert_json_success(result)
json = ujson.loads(result.content)
self.assertIn("exists", json)
self.assertTrue(json["exists"])
self.assertIn("subscribed", json)
# Importantly, we are not now subscribed
self.assertFalse(json["subscribed"])
self.assertEqual(Subscription.objects.filter(
recipient__type=Recipient.STREAM,
recipient__type_id=stream.id).count(), 1)
def get_subscription(self, user_profile, stream_name):
# type: (UserProfile, text_type) -> Subscription
stream = Stream.objects.get(realm=self.realm, name=stream_name)

View File

@@ -447,7 +447,7 @@ def stream_exists_backend(request, user_profile, stream_name, autosubscribe):
result = {"exists": bool(stream)}
if stream is not None:
recipient = get_recipient(Recipient.STREAM, stream.id)
if autosubscribe:
if not stream.invite_only and autosubscribe:
bulk_add_subscriptions([stream], [user_profile])
result["subscribed"] = Subscription.objects.filter(user_profile=user_profile,
recipient=recipient,

View File

@@ -155,7 +155,7 @@ INLINE_IMAGE_PREVIEW = True
# https://github.com/zulip/zulip/issues/291 for discussion of a better
# solution that won't be automatically reverted by the Zulip upgrade
# script), and then restart nginx.
LOCAL_UPLOADS_DIR = "/home/zulip/var/uploads"
LOCAL_UPLOADS_DIR = "/home/zulip/uploads"
#S3_AUTH_UPLOADS_BUCKET = ""
#S3_AVATAR_BUCKET = ""