Check if alias event's state_key matches sender's domain

2016-07-13 13:12:25 +01:00 · 2016-07-13 13:12:25 +01:00 · 2cb758ac75
parent 560c71c735
commit 2cb758ac75
1 changed files with 11 additions and 0 deletions
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@ -115,6 +115,17 @@ class Auth(object):

            # FIXME: Temp hack
            if event.type == EventTypes.Aliases:
+                if not event.state_key:
+                    raise AuthError(
+                        403,
+                        "Alias event must have non-empty state_key"
+                    )
+                sender_domain = get_domain_from_id(event.sender)
+                if event.state_key != sender_domain:
+                    raise AuthError(
+                        403,
+                        "Alias event's state_key does not match sender's domain"
+                    )
                return True

            logger.debug(