zulip/zerver
Mateusz Mandera d1cbb0dd59 CVE-2024-56136: Don't leak information via "invalid subdomain" error.
The bug we're fixing here leaks information by returning an "invalid
subdomain" error when an attempt is made to log in to user@example.com
on a subdomain X when user@example.com does not exist on X, but does
on another subdomain Y.

This allows an attacker to determine that a certain email address has an
account on the server.

Instead, this should just return a regular authentication error.
2025-01-16 12:30:08 -05:00
..
actions message_edit: Disallow resolving empty string topic. 2025-01-14 14:22:21 -08:00
data_import ruff: Partially reformat Python with Ruff 0.9 (2025 style). 2025-01-14 09:42:16 -08:00
integration_fixtures/nagios
lib thumbnail: Show the first few frames of large animated images. 2025-01-15 09:56:19 -08:00
management ruff: Partially reformat Python with Ruff 0.9 (2025 style). 2025-01-14 09:42:16 -08:00
migrations settings: Show avatar by default in right sidebar for new orgs. 2025-01-09 09:19:22 -08:00
models settings: Show avatar by default in right sidebar for new orgs. 2025-01-09 09:19:22 -08:00
openapi message_edit: Disallow resolving empty string topic. 2025-01-14 14:22:21 -08:00
tests CVE-2024-56136: Don't leak information via "invalid subdomain" error. 2025-01-16 12:30:08 -05:00
tornado mark_unread: Add support for empty topic name. 2025-01-07 17:24:00 -08:00
transaction_tests test_user_groups: Add durable=True to the independent transaction. 2024-11-21 14:55:15 -08:00
views CVE-2024-56136: Don't leak information via "invalid subdomain" error. 2025-01-16 12:30:08 -05:00
webhooks ruff: Partially reformat Python with Ruff 0.9 (2025 style). 2025-01-14 09:42:16 -08:00
worker thumbnail: Show the first few frames of large animated images. 2025-01-15 09:56:19 -08:00
__init__.py
apps.py ruff: Fix UP007 Use X | Y for type annotations. 2024-07-13 22:28:22 -07:00
context_processors.py password: Add password_max_length to register response. 2025-01-13 11:47:34 -08:00
decorator.py queue: Rename queue_json_publish to queue_json_publish_rollback_unsafe. 2024-12-06 09:23:02 -08:00
filters.py ruff: Fix UP007 Use X | Y for type annotations. 2024-07-13 22:28:22 -07:00
forms.py ruff: Partially reformat Python with Ruff 0.9 (2025 style). 2025-01-14 09:42:16 -08:00
logging_handlers.py ruff: Fix UP007 Use X | Y for type annotations. 2024-07-13 22:28:22 -07:00
middleware.py test_classes: Refine assert_json_success output with exception chaining. 2024-12-04 11:38:45 -08:00
signals.py queue: Rename queue_json_publish to queue_json_publish_rollback_unsafe. 2024-12-06 09:23:02 -08:00