paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-03 05:23:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a8217c51de3ac40b0994196c9969e0445e63c960
zulip/zerver/views
History
Anders Kaseorg 751b2a03e5 CVE-2022-31168: Fix authorization check for changing bot roles. 
Due to an incorrect authorization check in Zulip Server 5.4 and
earlier, a member of an organization could craft an API call that
grants organization administrator privileges to one of their bots.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-07-21 17:59:09 -07:00
..
development
email-log: Move forward_address to REQ framework.
2022-07-20 14:22:25 -07:00
__init__.py
alert_words.py
actions: Split out zerver.actions.alert_words.
2022-04-14 17:14:31 -07:00
attachments.py
actions: Split out zerver.actions.uploads.
2022-04-14 17:14:32 -07:00
auth.py
confirmation: Tighten logic around the mark_object_used parameter.
2022-07-21 15:18:15 -07:00
compatibility.py
django: Use HttpRequest.headers.
2022-05-13 20:42:20 -07:00
custom_profile_fields.py
custom_profile: Use cast to ensure ProfieDataElementUpdateDict.
2022-07-15 14:55:03 -07:00
digest.py
mypy: Fix most AnonymousUser type errors.
2021-07-24 14:55:46 -07:00
documentation.py
documentation: Make get compatible with the supertype.
2022-07-19 17:48:27 -07:00
drafts.py
backend: Add request as parameter to json_success.
2022-02-04 15:16:56 -08:00
email_mirror.py
backend: Add request as parameter to json_success.
2022-02-04 15:16:56 -08:00
events_register.py
events_register: Pass spectator set language to client in user_settings.
2022-07-14 14:27:32 -07:00
home.py
typing: Add none-checks for miscellaneous cases.
2022-05-31 09:43:55 -07:00
hotspots.py
actions: Split out zerver.actions.hotspots.
2022-04-14 17:14:31 -07:00
invite.py
invites: Capitalize "ID" in the error raised for invalid stream ids.
2022-05-27 17:06:03 -07:00
message_edit.py
actions: Split out zerver.actions.message_edit.
2022-04-14 17:14:36 -07:00
message_fetch.py
python: Unquote some unnecessarily quoted type annotations.
2022-06-26 17:37:41 -07:00
message_flags.py
Revert "message_flags: Filter msgs having (or not) the flag before updating."
2022-07-21 14:29:54 -07:00
message_send.py
requirements: Upgrade to Django 4.0.
2022-07-13 16:07:17 -07:00
muting.py
actions: Split out zerver.actions.muted_users.
2022-04-14 17:14:36 -07:00
portico.py
middleware: Fix URL encoding of next parameter.
2022-05-12 17:51:51 -07:00
presence.py
actions: Split out zerver.actions.presence.
2022-04-14 17:14:32 -07:00
push_notifications.py
backend: Add request as parameter to json_success.
2022-02-04 15:16:56 -08:00
reactions.py
actions: Split out zerver.actions.reactions.
2022-04-14 17:14:35 -07:00
realm_domains.py
actions: Split out zerver.actions.realm_domains.
2022-04-14 17:14:37 -07:00
realm_emoji.py
upload: Add assertions before accessing uploaded files.
2022-06-23 22:09:05 -07:00
realm_export.py
actions: Split out zerver.actions.realm_export.
2022-04-14 17:14:31 -07:00
realm_icon.py
upload: Add assertions before accessing uploaded files.
2022-06-23 22:09:05 -07:00
realm_linkifiers.py
actions: Split out zerver.actions.realm_linkifiers.
2022-04-14 17:14:31 -07:00
realm_logo.py
upload: Add assertions before accessing uploaded files.
2022-06-23 22:09:05 -07:00
realm_playgrounds.py
actions: Split out zerver.actions.realm_playgrounds.
2022-04-14 17:14:30 -07:00
realm.py
confirmation: Tighten logic around the mark_object_used parameter.
2022-07-21 15:18:15 -07:00
registration.py
confirmation: Tighten logic around the mark_object_used parameter.
2022-07-21 15:18:15 -07:00
report.py
report: Strengthen report_csp_violations type using WildValue.
2022-03-15 13:02:02 -07:00
storage.py
backend: Add request as parameter to json_success.
2022-02-04 15:16:56 -08:00
streams.py
typing: Add none-checks for stream.recipient_id.
2022-06-23 19:25:48 -07:00
submessage.py
actions: Split out zerver.actions.submessage.
2022-04-14 17:14:30 -07:00
thumbnail.py
docs: Remove some outdated references to thumbnailing.md doc.
2022-07-12 17:44:24 -07:00
tutorial.py
backend: Add request as parameter to json_success.
2022-02-04 15:16:56 -08:00
typing.py
actions: Split out zerver.actions.typing.
2022-04-14 17:14:30 -07:00
unsubscribe.py
confirmation: Tighten logic around the mark_object_used parameter.
2022-07-21 15:18:15 -07:00
upload.py
upload: Add assertions before accessing uploaded files.
2022-06-23 22:09:05 -07:00
user_groups.py
user_groups: Rename existing_subgroups variable to existing_direct_subgroup_ids.
2022-05-17 14:51:55 -07:00
user_settings.py
get_object_from_key: Make mark_object_used an obligatory kwarg.
2022-07-21 15:18:15 -07:00
users.py
CVE-2022-31168: Fix authorization check for changing bot roles.
2022-07-21 17:59:09 -07:00
video_calls.py
actions: Split out zerver.actions.video_calls.
2022-04-14 17:14:30 -07:00
zephyr.py
python: Use Python 3.8 shlex.join function.
2022-04-27 12:57:49 -07:00