Merge pull request #3642 from matrix-org/rav/another_room_id_check

Check room visibility for /event/ requests
2018-08-02 15:21:59 +01:00 · 2018-08-02 15:21:59 +01:00 · 50d9d97408
parent a937497cf5 8cefc690c9
commit 50d9d97408
5 changed files with 25 additions and 7 deletions
--- a/changelog.d/3641.bugfix
+++ b/changelog.d/3641.bugfix
@ -1 +1 @@
-Fix a potential event disclosure issue
+Fix a potential issue where servers could request events for rooms they have not joined.
--- a/changelog.d/3642.bugfix
+++ b/changelog.d/3642.bugfix
@ -0,0 +1 @@
+Fix a potential issue where users could see events in private joins before they joined
--- a/synapse/handlers/events.py
+++ b/synapse/handlers/events.py
@ -19,10 +19,12 @@ import random
 from twisted.internet import defer

 from synapse.api.constants import EventTypes, Membership
+from synapse.api.errors import AuthError
 from synapse.events import EventBase
 from synapse.events.utils import serialize_event
 from synapse.types import UserID
 from synapse.util.logutils import log_function
+from synapse.visibility import filter_events_for_client

 from ._base import BaseHandler

@ -129,11 +131,13 @@ class EventStreamHandler(BaseHandler):
 class EventHandler(BaseHandler):

    @defer.inlineCallbacks
-    def get_event(self, user, event_id):
+    def get_event(self, user, room_id, event_id):
        """Retrieve a single specified event.

        Args:
            user (synapse.types.UserID): The user requesting the event
+            room_id (str|None): The expected room id. We'll return None if the
+                event's room does not match.
            event_id (str): The event ID to obtain.
        Returns:
            dict: An event, or None if there is no event matching this ID.
@ -142,13 +146,26 @@ class EventHandler(BaseHandler):
            AuthError if the user does not have the rights to inspect this
            event.
        """
-        event = yield self.store.get_event(event_id)
+        event = yield self.store.get_event(event_id, check_room_id=room_id)

        if not event:
            defer.returnValue(None)
            return

-        if hasattr(event, "room_id"):
-            yield self.auth.check_joined_room(event.room_id, user.to_string())
+        users = yield self.store.get_users_in_room(event.room_id)
+        is_peeking = user.to_string() not in users
+
+        filtered = yield filter_events_for_client(
+            self.store,
+            user.to_string(),
+            [event],
+            is_peeking=is_peeking
+        )
+
+        if not filtered:
+            raise AuthError(
+                403,
+                "You don't have permission to access that event."
+            )

        defer.returnValue(event)
--- a/synapse/rest/client/v1/events.py
+++ b/synapse/rest/client/v1/events.py
@ -88,7 +88,7 @@ class EventRestServlet(ClientV1RestServlet):
    @defer.inlineCallbacks
    def on_GET(self, request, event_id):
        requester = yield self.auth.get_user_by_req(request)
-        event = yield self.event_handler.get_event(requester.user, event_id)
+        event = yield self.event_handler.get_event(requester.user, None, event_id)

        time_now = self.clock.time_msec()
        if event:
--- a/synapse/rest/client/v1/room.py
+++ b/synapse/rest/client/v1/room.py
@ -508,7 +508,7 @@ class RoomEventServlet(ClientV1RestServlet):
    @defer.inlineCallbacks
    def on_GET(self, request, room_id, event_id):
        requester = yield self.auth.get_user_by_req(request)
-        event = yield self.event_handler.get_event(requester.user, event_id)
+        event = yield self.event_handler.get_event(requester.user, room_id, event_id)

        time_now = self.clock.time_msec()
        if event:
				`@ -0,0 +1 @@`
				`Fix a potential issue where users could see events in private joins before they joined`