Impact
Users could upload files with arbitrary Content-Type
which would be served from the Zulip hostname with Content-Disposition: inline
and no Content-Security-Policy
header, allowing them to trick other users into executing arbitrary Javascript in the context of the Zulip application. Among other things, this enables session theft.
Only deployments which use the S3 storage (not the local-disk storage) are affected, and only deployments which deployed 04cf68b (merged on January 9th), which has only been in main
. This vulnerability does not affect any numbered release.
Workarounds
Switching from S3 storage to the local-disk storage would nominally mitigate this, but is likely more involved than upgrading to the latest main
which addresses the issue.
Patches
The vulnerability was fixed in the main
branch with commit 2f6c5a8. Users running a Zulip server from the main
branch should upgrade from main
again to deploy this fix.
Impact
Users could upload files with arbitrary
Content-Type
which would be served from the Zulip hostname withContent-Disposition: inline
and noContent-Security-Policy
header, allowing them to trick other users into executing arbitrary Javascript in the context of the Zulip application. Among other things, this enables session theft.Only deployments which use the S3 storage (not the local-disk storage) are affected, and only deployments which deployed 04cf68b (merged on January 9th), which has only been in
main
. This vulnerability does not affect any numbered release.Workarounds
Switching from S3 storage to the local-disk storage would nominally mitigate this, but is likely more involved than upgrading to the latest
main
which addresses the issue.Patches
The vulnerability was fixed in the
main
branch with commit 2f6c5a8. Users running a Zulip server from themain
branch should upgrade frommain
again to deploy this fix.