paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-03 05:23:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a23b077b79cae11757fb97f8d4e174af153c7104
zulip/zerver/views
History
Mateusz Mandera a23b077b79 CVE-2023-28623: Prevent unauthorized signup with ldap + external auth. 
Since 74dd21c8fa in Zulip Server 2.1.0, if:
- ZulipLDAPAuthBackend and an external authentication backend (any aside
  of ZulipLDAPAuthBackend and EmailAuthBackend) are the only ones
  enabled in AUTHENTICATION_BACKENDS in /etc/zulip/settings.py
- The organization permissions don't require invitations to join

...then an attacker can create a new account in the organization with
an arbitrary email address in their control that's not in the
organization's LDAP directory.

The impact is limited to installations which have the specific
combination of authentication backends described above, in addition to
having the "Invitations are required for joining this organization
organization" permission disabled.
2023-05-19 16:13:00 -04:00
..
development
emails: Inline CSS in emails in build_email.
2023-04-05 12:22:29 -07:00
__init__.py
alert_words.py
actions: Split out zerver.actions.alert_words.
2022-04-14 17:14:31 -07:00
attachments.py
actions: Split out zerver.actions.uploads.
2022-04-14 17:14:32 -07:00
auth.py
maybe_send_to_registration: Remove password_required arg.
2023-05-19 16:13:00 -04:00
compatibility.py
django: Use HttpRequest.headers.
2022-05-13 20:42:20 -07:00
custom_profile_fields.py
black: Reformat with Black 23.
2023-02-02 10:40:13 -08:00
digest.py
mypy: Fix most AnonymousUser type errors.
2021-07-24 14:55:46 -07:00
documentation.py
api_url_context: Replace uri with url.
2023-04-26 16:37:16 -07:00
drafts.py
backend: Add request as parameter to json_success.
2022-02-04 15:16:56 -08:00
email_mirror.py
backend: Add request as parameter to json_success.
2022-02-04 15:16:56 -08:00
events_register.py
linkifier: Support URL templates for linkifiers.
2023-04-19 12:20:49 -07:00
home.py
accounts: Allow user to change email visibility during first login.
2023-05-16 13:52:56 -07:00
hotspots.py
actions: Split out zerver.actions.hotspots.
2022-04-14 17:14:31 -07:00
invite.py
invites: Allow users to invite without specifying any stream to join.
2023-05-09 17:05:17 -07:00
message_edit.py
black: Reformat with Black 23.
2023-02-02 10:40:13 -08:00
message_fetch.py
Remove statsd support.
2023-04-25 19:58:16 -07:00
message_flags.py
black: Reformat with Black 23.
2023-02-02 10:40:13 -08:00
message_send.py
urls: Add new endpoint to create scheduled messages.
2023-04-28 17:25:00 -07:00
muted_users.py
mute user: Remove unnecessary check for double muting.
2023-02-20 21:04:13 -08:00
presence.py
black: Reformat with Black 23.
2023-02-02 10:40:13 -08:00
push_notifications.py
backend: Add request as parameter to json_success.
2022-02-04 15:16:56 -08:00
reactions.py
actions: Split out zerver.actions.reactions.
2022-04-14 17:14:35 -07:00
read_receipts.py
read_receipts: Exclude muted users from read receipts.
2022-09-16 16:19:54 -07:00
realm_domains.py
realm_domains: Allow only owners to add, edit or delete domains.
2022-09-16 15:27:52 -07:00
realm_emoji.py
black: Reformat with Black 23.
2023-02-02 10:40:13 -08:00
realm_export.py
realm_export: Return export id from POST which create it.
2023-05-16 14:05:01 -07:00
realm_icon.py
black: Reformat with Black 23.
2023-02-02 10:40:13 -08:00
realm_linkifiers.py
linkifier: Support URL templates for linkifiers.
2023-04-19 12:20:49 -07:00
realm_logo.py
upload: Add assertions before accessing uploaded files.
2022-06-23 22:09:05 -07:00
realm_playgrounds.py
actions: Split out zerver.actions.realm_playgrounds.
2022-04-14 17:14:30 -07:00
realm.py
models: Add ORG_TYPE_IDS constant field to Realm.
2023-04-27 12:28:37 -07:00
registration.py
CVE-2023-28623: Prevent unauthorized signup with ldap + external auth.
2023-05-19 16:13:00 -04:00
report.py
zerver: Remove now-unused report/ endpoints.
2023-05-09 13:16:28 -07:00
scheduled_messages.py
scheduled-messages: Limit to parameter to user and stream IDs.
2023-05-09 12:45:11 -07:00
sentry.py
sentry: Add the observed user's IP address before forwarding.
2023-05-18 16:25:54 -07:00
storage.py
backend: Add request as parameter to json_success.
2022-02-04 15:16:56 -08:00
streams.py
subscriptions: Change in API used for adding new subscriptions.
2023-05-14 11:19:05 -07:00
submessage.py
actions: Split out zerver.actions.submessage.
2022-04-14 17:14:30 -07:00
thumbnail.py
docs: Remove some outdated references to thumbnailing.md doc.
2022-07-12 17:44:24 -07:00
tutorial.py
backend: Add request as parameter to json_success.
2022-02-04 15:16:56 -08:00
typing.py
message-type: Add support for "direct" as value for type parameter.
2023-04-18 12:29:33 -07:00
unsubscribe.py
black: Reformat with Black 23.
2023-02-02 10:40:13 -08:00
upload.py
upload: Use content_disposition_header from Django 4.2.
2023-05-11 14:51:28 -07:00
user_groups.py
user_groups: Send a message on changing user-groups subscribers.
2023-04-06 19:03:26 -07:00
user_settings.py
user_settings: Add web_mark_read_on_scroll_policy field.
2023-04-18 18:32:02 -07:00
user_topics.py
user_topics: Add a new endpoint to update visibility_policy.
2023-04-03 22:31:49 -07:00
users.py
users: Set tos_version to -1 for users who have not logged-in yet.
2023-05-16 13:52:56 -07:00
video_calls.py
actions: Split out zerver.actions.video_calls.
2022-04-14 17:14:30 -07:00
zephyr.py
ruff: Fix PLW0602 Using global but no assignment is done.
2023-01-04 16:25:07 -08:00