mirror of
https://github.com/zulip/zulip.git
synced 2026-06-06 21:12:33 +08:00
97a8a5f1a0
`location /api/v1/events` is a *prefix-match*, and as such passes any URI starting with `/api/v1/events` through to Tornado -- including encoded oddities like `/api/v1/events%3fdont%255fblock=false` (whose decoded $uri still has the prefix) and `/api/v1/events/internal`, which is meant to be reachable only via the loopback interface but was being proxied to Tornado from the public socket. Tornado's internal_api_view rejects external callers both via its REMOTE_ADDR check and its `SHARED_SECRET` check, so this was not exploitable, but a Tornado worker still had to handle each such request just to 403 it. Switch to exact matches, as was likely intended all along, which lets those requests fall through to Django/uWSGI and 404 without ever waking Tornado. The legitimate internal callers in zerver/tornado/django_api.py talk to http://127.0.0.1:<tornado-port> directly, so they are unaffected, as is the X-Accel-Redirect path served by the /internal/tornado/ regex location. |
||
|---|---|---|
| .. | ||
| kandra | ||
| zulip | ||
| deps.yaml | ||