mirror of https://github.com/zulip/zulip.git synced 2025-10-23 04:52:12 +00:00

Go to file

Sahil Batra 6336322d2f CVE-2023-47642: Invalid metadata access for formerly subscribed streams.

It was discovered by the Zulip development team that active users who
had previously been subscribed to a stream incorrectly continued being
able to use the Zulip API to access metadata for that stream. As a
result, users who had been removed from a stream, but still had an
account in the organization, could still view metadata for that
stream (including the stream name, description, settings, and an email
address used to send emails into the stream via the incoming email
integration). This potentially allowed users to see changes to a
stream’s metadata after they had lost access to the stream.

This bug was present in all Zulip releases prior to today's Zulip
Server 7.5.

2023-11-16 16:38:30 +00:00

.github

ci: Restore commented clean_unused_caches.py invocation.

2023-09-15 13:12:36 -07:00

.tx

provision: Replace transifex-client with new transifex-cli.

2022-12-13 12:34:08 -08:00

.vscode

vscode: Recommend remote development extension.

2021-11-03 16:03:46 -07:00

analytics

realm: Differentiate reserved realms from in-use realms.

2023-10-02 12:52:25 -07:00

api_docs

streams: Add API endpoint to get stream email.

2023-11-16 16:28:14 +00:00

confirmation

ruff: Fix DJ012 Order of model's inner classes, methods, and fields.

2023-04-12 17:32:38 -07:00

corporate

ruff: Fix RUF015 Prefer next(...) over single element slice.

2023-08-23 02:28:06 +00:00

docs

typos: Fix typos caught by typos.

2023-11-15 10:13:24 -08:00

help

help: Document unarchive_stream management command.

2023-10-02 12:52:25 -07:00

locale

i18n: Update translation data from Transifex.

2023-11-15 22:11:06 +00:00

pgroonga

migrations: Import BaseDatabaseSchemaEditor from its canonical module.

2023-03-05 14:46:28 -08:00

puppet

typos: Fix typos caught by typos.

2023-11-15 10:13:24 -08:00

requirements

requirements: Upgrade Python requirements.

2023-11-15 10:13:24 -08:00

scripts

ruff: Fix PIE808 Unnecessary start argument in range.

2023-09-15 12:21:28 -07:00

static

emails: Fix the image source for the follow-up day 2 email.

2023-08-15 17:09:35 +00:00

stubs/taint

actions: Split out zerver.actions.message_send.

2022-04-14 17:14:34 -07:00

templates

emails: Fix the issues with image width overflow.

2023-08-15 17:09:35 +00:00

tools

ruff: Fix PIE808 Unnecessary start argument in range.

2023-09-15 12:21:28 -07:00

var/puppeteer

…

web

streams: Add API endpoint to get stream email.

2023-11-16 16:28:14 +00:00

zerver

CVE-2023-47642: Invalid metadata access for formerly subscribed streams.

2023-11-16 16:38:30 +00:00

zilencer

profile_request: Support only synchronous responses for now.

2023-08-10 17:01:52 -05:00

zproject

streams: Add API endpoint to get stream email.

2023-11-16 16:28:14 +00:00

.codecov.yml

…

.codespellignore

codespell: Fix newly found typos.

2023-04-03 22:39:21 -07:00

.editorconfig

…

.eslintignore

web: Move web app to ‘web’ directory.

2023-02-23 16:04:17 -08:00

.eslintrc.json

shared: Avoid replaceAll again.

2023-05-25 22:39:12 -07:00

.gitattributes

.gitattributes: Mark *.bmp, *.bson, *.mp3, *.pdf as binary.

2022-02-07 18:51:06 -08:00

.gitignore

dependencies: Switch to pnpm.

2023-03-20 15:48:29 -07:00

.gitlint

lint: Update line-length for commit message to 72 in gitlint.

2023-05-01 10:35:52 -07:00

.mailmap

mailmap: Add entry for Brijmohan Siyag.

2023-05-31 08:48:02 -07:00

.npmignore

…

.npmrc

dependencies: Switch to pnpm.

2023-03-20 15:48:29 -07:00

.prettierignore

dependencies: Switch to pnpm.

2023-03-20 15:48:29 -07:00

.pyre_configuration

…

.readthedocs.yaml

readthedocs: Add a configuration file.

2023-02-03 16:36:54 -08:00

.sonarcloud.properties

…

CODE_OF_CONDUCT.md

contributor docs: Add guidelines on moderating the Zulip community.

2022-12-02 16:57:41 -08:00

CONTRIBUTING.md

docs: Link to new guide on suggesting features and improvements.

2023-06-13 11:48:50 -04:00

Dockerfile-postgresql

docker: Document the PostgreSQL Dockerfile build steps.

2022-04-26 18:00:00 -07:00

LICENSE

…

manage.py

ruff: Fix SIM102 nested if statements.

2023-01-23 11:18:36 -08:00

NOTICE

…

package.json

dependencies: Upgrade JavaScript dependencies.

2023-05-12 11:12:20 -07:00

pnpm-lock.yaml

dependencies: Upgrade JavaScript dependencies.

2023-05-12 11:12:20 -07:00

prettier.config.js

…

pyproject.toml

ruff: Collapse short multi-line import statements.

2023-08-23 02:29:07 +00:00

README.md

README: Update Ruff badge.

2023-03-21 11:46:20 -07:00

SECURITY.md

docs: Update .html links pointing to "Upgrade Zulip" or "Modify Zulip".

2023-08-14 22:06:10 +00:00

stylelint.config.js

linter: Lint grid-area names for quotation marks.

2023-05-19 13:08:15 -07:00

tsconfig.json

ts: Convert emoji.js to TypeScript.

2023-04-05 10:29:01 -07:00

Vagrantfile

vagrant: Add Fedora 36 support.

2022-09-08 16:12:59 -07:00

version.py

streams: Add API endpoint to get stream email.

2023-11-16 16:28:14 +00:00

README.md

Zulip overview

Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful. Fortune 500 companies, leading open source projects, and thousands of other organizations use Zulip every day. Zulip is the only modern team chat app that is designed for both live and asynchronous conversations.

Zulip is built by a distributed community of developers from all around the world, with 74+ people who have each contributed 100+ commits. With over 1000 contributors merging over 500 commits a month, Zulip is the largest and fastest growing open source team chat project.

Come find us on the development community chat!

Getting started

Contributing code. Check out our guide for new contributors to get started. We have invested in making Zulip’s code highly readable, thoughtfully tested, and easy to modify. Beyond that, we have written an extraordinary 150K words of documentation for Zulip contributors.
Contributing non-code. Report an issue, translate Zulip into your language, or give us feedback. We'd love to hear from you, whether you've been using Zulip for years, or are just trying it out for the first time.
Checking Zulip out. The best way to see Zulip in action is to drop by the Zulip community server. We also recommend reading about Zulip's unique approach to organizing conversations.
Running a Zulip server. Self-host Zulip directly on Ubuntu or Debian Linux, in Docker, or with prebuilt images for Digital Ocean and Render. Learn more about self-hosting Zulip.
Using Zulip without setting up a server. Learn about Zulip Cloud hosting options. Zulip sponsors free Zulip Cloud Standard for hundreds of worthy organizations, including fellow open-source projects.
Participating in outreach programs like Google Summer of Code and Outreachy.
Supporting Zulip. Advocate for your organization to use Zulip, become a sponsor, write a review in the mobile app stores, or help others find Zulip.

You may also be interested in reading our blog, and following us on Twitter and LinkedIn.

Zulip is distributed under the Apache 2.0 license.

Languages

Python 58.5%

TypeScript 18.1%

JavaScript 9.1%

CSS 3.9%

HTML 3.6%

Other 6.6%

README.md Unescape Escape

Zulip overview

Getting started

README.md