Check m.room.create for sane room_versions
parent
f900d50824
commit
19a17068f1
|
@ -20,7 +20,7 @@ from signedjson.key import decode_verify_key_bytes
|
||||||
from signedjson.sign import SignatureVerifyException, verify_signed_json
|
from signedjson.sign import SignatureVerifyException, verify_signed_json
|
||||||
from unpaddedbase64 import decode_base64
|
from unpaddedbase64 import decode_base64
|
||||||
|
|
||||||
from synapse.api.constants import EventTypes, JoinRules, Membership
|
from synapse.api.constants import KNOWN_ROOM_VERSIONS, EventTypes, JoinRules, Membership
|
||||||
from synapse.api.errors import AuthError, EventSizeError, SynapseError
|
from synapse.api.errors import AuthError, EventSizeError, SynapseError
|
||||||
from synapse.types import UserID, get_domain_from_id
|
from synapse.types import UserID, get_domain_from_id
|
||||||
|
|
||||||
|
@ -83,6 +83,14 @@ def check(event, auth_events, do_sig_check=True, do_size_check=True):
|
||||||
403,
|
403,
|
||||||
"Creation event's room_id domain does not match sender's"
|
"Creation event's room_id domain does not match sender's"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
room_version = event.content.get("room_version", "1")
|
||||||
|
if room_version not in KNOWN_ROOM_VERSIONS:
|
||||||
|
raise AuthError(
|
||||||
|
403,
|
||||||
|
"room appears to have unsupported version %s" % (
|
||||||
|
room_version,
|
||||||
|
))
|
||||||
# FIXME
|
# FIXME
|
||||||
logger.debug("Allowing! %s", event)
|
logger.debug("Allowing! %s", event)
|
||||||
return
|
return
|
||||||
|
|
|
@ -25,7 +25,7 @@ from prometheus_client import Counter
|
||||||
|
|
||||||
from twisted.internet import defer
|
from twisted.internet import defer
|
||||||
|
|
||||||
from synapse.api.constants import Membership
|
from synapse.api.constants import KNOWN_ROOM_VERSIONS, EventTypes, Membership
|
||||||
from synapse.api.errors import (
|
from synapse.api.errors import (
|
||||||
CodeMessageException,
|
CodeMessageException,
|
||||||
FederationDeniedError,
|
FederationDeniedError,
|
||||||
|
@ -518,7 +518,7 @@ class FederationClient(FederationBase):
|
||||||
description, destination, exc_info=1,
|
description, destination, exc_info=1,
|
||||||
)
|
)
|
||||||
|
|
||||||
raise RuntimeError("Failed to %s via any server", description)
|
raise RuntimeError("Failed to %s via any server" % (description, ))
|
||||||
|
|
||||||
def make_membership_event(self, destinations, room_id, user_id, membership,
|
def make_membership_event(self, destinations, room_id, user_id, membership,
|
||||||
content, params):
|
content, params):
|
||||||
|
@ -609,6 +609,26 @@ class FederationClient(FederationBase):
|
||||||
Fails with a ``RuntimeError`` if no servers were reachable.
|
Fails with a ``RuntimeError`` if no servers were reachable.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
def check_authchain_validity(signed_auth_chain):
|
||||||
|
for e in signed_auth_chain:
|
||||||
|
if e.type == EventTypes.Create:
|
||||||
|
create_event = e
|
||||||
|
break
|
||||||
|
else:
|
||||||
|
raise InvalidResponseError(
|
||||||
|
"no %s in auth chain" % (EventTypes.Create,),
|
||||||
|
)
|
||||||
|
|
||||||
|
# the room version should be sane.
|
||||||
|
room_version = create_event.content.get("room_version", "1")
|
||||||
|
if room_version not in KNOWN_ROOM_VERSIONS:
|
||||||
|
# This shouldn't be possible, because the remote server should have
|
||||||
|
# rejected the join attempt during make_join.
|
||||||
|
raise InvalidResponseError(
|
||||||
|
"room appears to have unsupported version %s" % (
|
||||||
|
room_version,
|
||||||
|
))
|
||||||
|
|
||||||
@defer.inlineCallbacks
|
@defer.inlineCallbacks
|
||||||
def send_request(destination):
|
def send_request(destination):
|
||||||
time_now = self._clock.time_msec()
|
time_now = self._clock.time_msec()
|
||||||
|
@ -665,7 +685,7 @@ class FederationClient(FederationBase):
|
||||||
for s in signed_state:
|
for s in signed_state:
|
||||||
s.internal_metadata = copy.deepcopy(s.internal_metadata)
|
s.internal_metadata = copy.deepcopy(s.internal_metadata)
|
||||||
|
|
||||||
auth_chain.sort(key=lambda e: e.depth)
|
check_authchain_validity(signed_auth)
|
||||||
|
|
||||||
defer.returnValue({
|
defer.returnValue({
|
||||||
"state": signed_state,
|
"state": signed_state,
|
||||||
|
|
Loading…
Reference in New Issue