mirror of https://github.com/zulip/zulip.git synced 2025-11-03 05:23:35 +00:00

Go to file

Anders Kaseorg 780ecb672b CVE-2019-16216: Fix MIME type validation.

* Whitelist a small number of image/ types to be served as
  non-attachments.
* Serve the file using the type that we validated rather than relying
  on an independent guess to match.

This issue can lead to a stored XSS security vulnerability for older
browsers that don't support Content-Security-Policy.

It primarily affects servers using Zulip's local file uploads backend
for servers running Ubuntu 16.04 Xenial or newer; the legacy local
file upload backend for (now EOL) Ubuntu 14.04 Trusty was not affected
and it has limited impact for the S3 upload backend (which uses an
unprivileged S3 bucket domain to serve files).

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>

2019-09-11 15:46:36 -07:00

.circleci

circleci: Store XUnit test results.

2019-07-07 22:31:11 -07:00

.github

github: Suggest GIFs too in PR template.

2018-02-16 09:59:22 -08:00

.tx

cleanup: Delete trailing newlines.

2019-08-06 23:29:11 -07:00

analytics

analytics: Clean up type ignores.

2019-08-09 16:39:16 -07:00

confirmation

analytics/zilencer/zproject: Remove unused imports.

2019-02-02 17:31:45 -08:00

corporate

requirements: Upgrade stripe pip package from 2.21.0 to 2.35.0.

2019-08-19 11:09:33 -07:00

docs

docs: Fix typo in production/email.md.

2019-09-10 16:10:12 -07:00

frontend_tests

markdown: Render ordered lists using <ol> markup.

2019-09-08 16:42:20 -07:00

locale

i18n: Update translation data from transifex.

2019-08-07 15:15:28 -07:00

pgroonga

migrations: Remove unused imports.

2019-02-02 17:01:04 -08:00

puppet

search: Remove now unnecessary tsearch_extra dependency.

2019-08-29 12:49:26 -07:00

requirements

requirements: Upgrade twisted to 19.7.0.

2019-09-08 09:42:32 -07:00

scripts

parse_os_release: Use /etc/os-release always; remove DISTRIB_FAMILY.

2019-08-29 17:30:20 -07:00

static

styles: Remove overrides for KaTeX line-height and white-space.

2019-09-10 16:03:20 -07:00

stubs

mypy: Remove daemon mode.

2019-08-25 15:04:12 -07:00

templates

docs/botserver: Document running custom bot modules.

2019-09-03 13:28:01 -07:00

tools

Revert "provision: Give concrete NFS error message on older OSX versions."

2019-09-09 14:47:51 -07:00

zerver

CVE-2019-16216: Fix MIME type validation.

2019-09-11 15:46:36 -07:00

zilencer

custom fields: Add default external account custom fields.

2019-08-28 15:35:53 -07:00

zproject

ldap: Fix logging of warning for deactivated users.

2019-09-08 09:35:23 -07:00

zthumbor

zthumbor: Clean up type ignores.

2019-08-09 17:42:33 -07:00

.babelrc

webpack: Transpile JS code with Babel.

2019-07-22 17:55:32 -07:00

.browserslistrc

webpack: Transpile JS code with Babel.

2019-07-22 17:55:32 -07:00

.codecov.yml

codecov: Change threshold to use percentage syntax.

2019-07-20 14:37:04 -07:00

.editorconfig

.editorconfig: Fix invalid brace patterns.

2019-07-03 14:40:56 -07:00

.eslintignore

typescript: Use ESLint instead of TSLint.

2019-04-13 11:42:47 -07:00

.eslintrc.json

data export: Add UI to trigger data export.

2019-08-12 18:21:38 -07:00

.gitattributes

Revert "gitattributes: Mark yarn.lock as "binary", i.e. suppress diffs."

2019-05-20 19:31:14 -07:00

.gitignore

i18n: Move static/locale back to locale.

2019-07-02 14:57:55 -07:00

.gitlint

lint: Allow revert commit messages in gitlint.

2018-02-13 09:21:01 -08:00

.isort.cfg

tornado: Fix logging of tornado activity level.

2018-04-17 15:59:01 -07:00

.npmignore

…

.stylelintrc

lint: Ban color names in CSS.

2019-01-22 15:33:18 -08:00

.travis.yml

ci: Move backend and production tests to Ubuntu 16.04 (xenial).

2019-05-24 17:07:15 -07:00

.yarnrc

.yarnrc: Set ignore-scripts true.

2019-08-28 16:15:54 -07:00

CODE_OF_CONDUCT.md

docs: Add clarifying comma in CODE_OF_CONDUCT.md.

2019-04-05 18:01:37 -07:00

CONTRIBUTING.md

docs: Mention twitter account as alternative to mailing list.

2019-05-20 15:21:15 -07:00

Dockerfile-postgresql

search: Remove now unnecessary tsearch_extra dependency.

2019-08-29 12:49:26 -07:00

LICENSE

license: Move license application notice from LICENSE to NOTICE.

2018-10-02 12:04:44 -07:00

manage.py

manage.py: Revert sabotaging pika.adapters.twisted_connection import.

2019-01-31 10:04:28 -08:00

mypy.ini

mypy: In non-daemon mode, follow package imports.

2019-08-16 14:13:40 -07:00

NOTICE

license: Move license application notice from LICENSE to NOTICE.

2018-10-02 12:04:44 -07:00

package.json

webpack: Move CSS minification to optimization stage.

2019-09-02 21:58:13 -07:00

postcss.config.js

webpack: Move CSS minification to optimization stage.

2019-09-02 21:58:13 -07:00

README.md

readme: Remove Travis badge.

2019-09-06 13:14:14 -07:00

Vagrantfile

Revert "vagrant: Add NFS backend for file synchronization for OSX."

2019-08-12 16:04:00 -07:00

version.py

requirements: Use PyPI fork of line_profiler supporting Python 3.7.

2019-09-08 09:34:55 -07:00

yarn.lock

webpack: Move CSS minification to optimization stage.

2019-09-02 21:58:13 -07:00

README.md

Zulip overview

Zulip is a powerful, open source group chat application that combines the immediacy of real-time chat with the productivity benefits of threaded conversations. Zulip is used by open source projects, Fortune 500 companies, large standards bodies, and others who need a real-time chat system that allows users to easily process hundreds or thousands of messages a day. With over 500 contributors merging over 500 commits a month, Zulip is also the largest and fastest growing open source group chat project.

Getting started

Click on the appropriate link below. If nothing seems to apply, join us on the Zulip community server and tell us what's up!