Skip to content

Commit

Permalink
docs: Update to reflect changes in security modal.
Browse files Browse the repository at this point in the history
  • Loading branch information
adnrs96 committed Apr 16, 2017
1 parent 262c392 commit b2c6b1e
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 20 deletions.
4 changes: 2 additions & 2 deletions docs/roadmap.md
Original file line number Diff line number Diff line change
Expand Up @@ -176,9 +176,9 @@ of its size, it takes work to keep it that way.

* [Add support for 2-factor authentication on all
platforms](https://github.com/zulip/zulip/pull/1747)
* [Add support for stronger security controls for uploaded files (The
* <strike>[Add support for stronger security controls for uploaded files (The
LOCAL_UPLOADS_DIR file uploads backend only supports world-readable
uploads)](https://github.com/zulip/zulip/issues/320)
uploads)](https://github.com/zulip/zulip/issues/320)</strike>
* [Fix requirement to set a password when creating account via
Google](https://github.com/zulip/zulip/issues/1633)
* [Add a retention policy feature that automatically deletes old
Expand Down
21 changes: 3 additions & 18 deletions docs/security-model.md
Original file line number Diff line number Diff line change
Expand Up @@ -184,24 +184,9 @@ your organization.
* Zulip supports user-uploaded files; ideally they should be hosted
from a separate domain from the main Zulip server to protect against
various same-domain attacks (e.g. zulip-user-content.example.com)
using the S3 integration.

The URLs of user-uploaded files are secret; if you are using the
"local file upload" integration, anyone with the URL of an uploaded
file can access the file. This means the local uploads integration
is vulnerable to a subtle attack where if a user clicks on a link in
a secret .PDF or .HTML file that had been uploaded to Zulip, access
to the file might be leaked to the other server via the Referrer
header (see [the "Uploads world readable" issue on
GitHub](https://github.com/zulip/zulip/issues/320)).

The Zulip S3 file upload integration is relatively safe against that
attack, because the URLs of files presented to users don't host the
content. Instead, the S3 integration checks the user has a valid
Zulip session in the relevant realm, and if so then redirects the
browser to a one-time S3 URL that expires a short time later.
Keeping the URL secret is still important to avoid other users in
the Zulip realm from being able to access the file.
using the S3 integration. The uploaded files could be viewed by only
those users who have access to them. Simple possession of a URL to
the uploaded file doesn't qualify as a right to view such a file.

* Zulip supports using the Camo image proxy to proxy content like
inline image previews that can be inserted into the Zulip message
Expand Down

0 comments on commit b2c6b1e

Please sign in to comment.