mirror of
https://github.com/zulip/zulip.git
synced 2026-06-12 21:00:58 +08:00
63eece23a9
Backported for 2.0.7 security release. For a long time, we've been only doing the zxcvbn password strength checks on the browser, which is helpful, but means users could through hackery (or a bug in the frontend validation code) manage to set a too-weak password. We fix this by running our password strength validation on the backend as well, using python-zxcvbn. In theory, a bug in python-zxcvbn could result in it producing a different opinion than the frontend version; if so, it'd be a pretty bad bug in the library, and hopefully we'd hear about it from users, report upstream, and get it fixed that way. Alternatively, we can switch to shelling out to node like we do for KaTeX. Fixes #6880. |
||
|---|---|---|
| .. | ||
| jinja2 | ||
| __init__.py | ||
| backends.py | ||
| dev_settings.py | ||
| dev_urls.py | ||
| email_backends.py | ||
| legacy_urls.py | ||
| prod_settings_template.py | ||
| settings.py | ||
| slack_importer_test_settings.py | ||
| terms.md.template | ||
| test_settings.py | ||
| urls.py | ||
| wsgi.py | ||