paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-23 04:52:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4.x
zulip/zerver/lib
History
Alex Vandiver e6eace307e CVE-2022-24751: Clear sessions outside of the transaction. 
Clearing the sessions inside the transaction makes Zulip vulnerable to
a narrow window where the deleted session has not yet been committed,
but has been removed from the memcached cache.  During this window, a
request with the session-id which has just been deleted can
successfully re-fill the memcached cache, as the in-database delete is
not yet committed, and thus not yet visible.  After the delete
transaction commits, the cache will be left with a cached session,
which allows further site access until it expires (after
SESSION_COOKIE_AGE seconds), is ejected from the cache due to memory
pressure, or the server is upgraded.

Move the session deletion outside of the transaction.

Because the testsuite runs inside of a transaction, it is impossible
to test this is CI; the testsuite uses the non-caching
`django.contrib.sessions.backends.db` backend, regardless.  The test
added in this commit thus does not fail before this commit; it is
merely a base expression that the session should be deleted somehow,
and does not exercise the assert added in the previous commit.
2022-03-15 20:29:05 +00:00
..
markdown
markdown: CSS-escape preview links.
2021-10-27 05:23:34 +00:00
url_preview
python: Convert deprecated Django smart_text alias to smart_str.
2021-04-15 18:01:34 -07:00
webhooks
docs: Fix capitalization mistakes.
2021-05-10 09:57:26 -07:00
__init__.py
actions.py
CVE-2022-24751: Clear sessions outside of the transaction.
2022-03-15 20:29:05 +00:00
addressee.py
python: Convert deprecated Django ugettext alias to gettext.
2021-04-15 18:01:34 -07:00
alert_words.py
python: Reformat with Black, except quotes.
2021-02-12 13:11:19 -08:00
attachments.py
python: Convert deprecated Django ugettext alias to gettext.
2021-04-15 18:01:34 -07:00
avatar_hash.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
avatar.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
bot_config.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
bot_lib.py
embedded bot: Return message id for send_message and send_reply.
2021-04-28 08:32:21 -07:00
bot_storage.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
bulk_create.py
mypy: Don’t use Iterable for values iterated multiple times.
2021-04-29 16:06:17 -07:00
cache_helpers.py
session: Enforce that changes cannot happen in a transaction.
2022-03-15 20:29:05 +00:00
cache.py
docs: Fix capitalization mistakes.
2021-05-10 09:57:26 -07:00
camo.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
ccache.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
context_managers.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
create_user.py
users: Remove redundant get_role_for_new_user in lib/create_user.py.
2021-04-30 15:57:09 -07:00
data_types.py
python: Reformat with Black, except quotes.
2021-02-12 13:11:19 -08:00
db.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
debug.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
dev_ldap_directory.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
digest.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
display_recipient.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
domains.py
python: Convert deprecated Django ugettext alias to gettext.
2021-04-15 18:01:34 -07:00
email_mirror_helpers.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
email_mirror.py
email_mirror: Remove unnecessary EMAIL_GATEWAY_PATTERN logging.
2021-05-13 11:17:01 -07:00
email_notifications.py
fenced_code: Optimize FENCE_RE to fix cubic worst-case complexity.
2021-07-22 21:31:36 +00:00
email_validation.py
python: Convert deprecated Django ugettext alias to gettext.
2021-04-15 18:01:34 -07:00
emoji.py
python: Convert deprecated Django ugettext alias to gettext.
2021-04-15 18:01:34 -07:00
error_notify.py
python: Convert deprecated Django ugettext alias to gettext.
2021-04-15 18:01:34 -07:00
event_schema.py
users: Add role field to user objects returned by format_user_row.
2021-04-29 15:13:50 -07:00
events.py
settings: Fix setting JITSI_SERVER_URL to None.
2021-05-18 19:17:13 -07:00
exceptions.py
python: Convert deprecated Django ugettext alias to gettext.
2021-04-15 18:01:34 -07:00
export.py
docs: Fix capitalization mistakes.
2021-05-10 09:57:26 -07:00
external_accounts.py
docs: Fix capitalization mistakes.
2021-05-10 09:57:26 -07:00
fix_unreads.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
generate_test_data.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
github.py
apps: Link to macOS Apple silicon native build.
2021-05-06 17:52:00 -07:00
home.py
navbar: Add gear menu advertisement for sponsoring zulip.
2021-05-12 10:21:48 -07:00
hotspots.py
docs: Fix spelling errors caught by codespell.
2021-04-26 09:31:08 -07:00
html_diff.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
html_to_text.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
i18n.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
import_realm.py
docs: Fix capitalization mistakes.
2021-05-10 09:57:26 -07:00
initial_password.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
integrations.py
doc: Fix configurations for images in the doc of newrelic.
2021-05-10 17:50:32 -07:00
logging_util.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
management.py
management: Use required kwargs in add_realm_args.
2021-05-10 12:30:58 -07:00
mdiff.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
mention.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
message.py
bulk_access_messages: Bulk fetch Subscription details.
2021-05-12 16:23:22 -07:00
migrate.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
mobile_auth_otp.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
name_restrictions.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
narrow.py
mypy: Don’t use Iterable for values iterated multiple times.
2021-04-29 16:06:17 -07:00
onboarding.py
python: Convert deprecated Django ugettext alias to gettext.
2021-04-15 18:01:34 -07:00
outgoing_http.py
outgoing_http: Provide a convenient way to set default headers.
2021-05-07 08:39:36 -07:00
outgoing_webhook.py
outgoing webhooks: Fix inconsistencies with Slack's API.
2021-09-23 14:49:36 -07:00
presence.py
models: Replace __id syntax with _id where possible.
2021-04-22 14:53:00 -07:00
profile.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
push_notifications.py
push_notifications: Truncate overly large remove events.
2021-11-03 11:41:57 -07:00
pysa.py
python: Sort imports with isort.
2020-06-11 16:45:32 -07:00
queue.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
rate_limiter.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
realm_description.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
realm_icon.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
realm_logo.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
redis_utils.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
remote_server.py
python: Convert deprecated Django ugettext alias to gettext.
2021-04-15 18:01:34 -07:00
request.py
python: Convert deprecated Django ugettext alias to gettext.
2021-04-15 18:01:34 -07:00
response.py
python: Convert deprecated Django ugettext alias to gettext.
2021-04-15 18:01:34 -07:00
rest.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
retention.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
safe_session_cached_db.py
session: Enforce that changes cannot happen in a transaction.
2022-03-15 20:29:05 +00:00
send_email.py
scheduled_email: Consistently lock users table.
2021-10-18 17:06:11 -07:00
server_initialization.py
audit log: Create audit log when a realm is created.
2021-04-30 09:25:11 -07:00
sessions.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
soft_deactivation.py
soft_deactivate: Handle multiple SUBSCRIPTION_DEACTIVATEDs.
2021-11-10 12:30:24 -08:00
sqlalchemy_utils.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
statistics.py
python: Reformat with Black, except quotes.
2021-02-12 13:11:19 -08:00
storage.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
stream_subscription.py
bulk_access_messages: Bulk fetch Subscription details.
2021-05-12 16:23:22 -07:00
stream_topic.py
performance: Add get_subscriptions_for_send_message.
2021-05-12 08:10:57 -07:00
streams.py
mypy: Don’t use Iterable for values iterated multiple times.
2021-04-29 16:06:17 -07:00
subdomains.py
subdomains: Extend "static" to include resources hosted on S3.
2021-06-08 15:28:32 -07:00
test_classes.py
registration: Rename source_realm field to source_realm_id.
2021-05-02 11:12:49 -07:00
test_console_output.py
mypy: Don’t use Iterable for values iterated multiple times.
2021-04-29 16:06:17 -07:00
test_data.source.txt
Rename default branch to ‘main’.
2021-09-07 13:56:41 -07:00
test_fixtures.py
puppeteer_tests: Reset test environment after each run.
2021-03-25 12:58:36 -07:00
test_helpers.py
requirements: Remove Thumbor.
2021-05-06 20:07:32 -07:00
test_runner.py
python: Strip leading and trailing spaces from docstrings.
2021-05-07 22:42:39 -07:00
tex.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
thumbnail.py
requirements: Remove Thumbor.
2021-05-06 20:07:32 -07:00
timeout.py
timeout: Remove unnecessary varargs support.
2021-02-15 17:05:28 -08:00
timestamp.py
python: Reformat with Black, except quotes.
2021-02-12 13:11:19 -08:00
timezone.py
python: Reformat with Black, except quotes.
2021-02-12 13:11:19 -08:00
topic_mutes.py
topic_mutes: Filter deactivated streams from get_topic_mutes.
2021-03-30 12:11:35 -07:00
topic.py
message_edit: Require access to messages to move between streams.
2021-05-12 16:23:22 -07:00
transfer.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
type_debug.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
types.py
linkifiers: Use dictionaries for internal structures.
2021-04-05 18:16:08 -07:00
unminify.py
unminify: Fix lookup if source map does not exist in disk.
2021-03-16 14:46:18 -07:00
upload.py
upload: Use URL manipulation for get_public_upload_url logic.
2021-06-22 09:36:29 -07:00
url_encoding.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
user_agent.py
python: Reformat with Black, except quotes.
2021-02-12 13:11:19 -08:00
user_groups.py
python: Convert deprecated Django ugettext alias to gettext.
2021-04-15 18:01:34 -07:00
user_mutes.py
models: Replace __id syntax with _id where possible.
2021-04-22 14:53:00 -07:00
user_status.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
users.py
registration: Encode source realm as an integer.
2021-05-02 11:12:49 -07:00
utils.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00
validator.py
widgets: Add range checks on backend for indexes.
2021-07-01 15:15:11 -07:00
widget.py
poll widget: Add server validation.
2021-06-14 17:57:24 -07:00
zcommand.py
python: Convert deprecated Django ugettext alias to gettext.
2021-04-15 18:01:34 -07:00
zephyr.py
python: Normalize quotes with Black.
2021-02-12 13:11:19 -08:00