Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Validation for events/rooms in fed requests #3641

Merged
merged 3 commits into from
Aug 2, 2018
Merged

Validation for events/rooms in fed requests #3641

merged 3 commits into from
Aug 2, 2018

Conversation

richvdh
Copy link
Member

@richvdh richvdh commented Aug 2, 2018

When we get a federation request which refers to an event id, make sure
that said event is in the room the caller claims it is in.

richvdh added 2 commits August 2, 2018 13:48
@richvdh
Validation for events/rooms in fed requests
0a65450 
When we get a federation request which refers to an event id, make sure that
said event is in the room the caller claims it is in.

(patch supplied by @turt2live)
@richvdh
Avoid extra db lookups
14fa9d4 
Since we're about to look up the events themselves anyway, we can skip the
extra db queries here.
@richvdh richvdh requested a review from erikjohnston August 2, 2018 12:58
@richvdh
Copy link
Member Author

richvdh commented Aug 2, 2018

@matrixbot retest this please

1 similar comment
@richvdh
Copy link
Member Author

richvdh commented Aug 2, 2018

@matrixbot retest this please

@richvdh
Copy link
Member Author

richvdh commented Aug 2, 2018

[the tests are being Difficult because sytest includes a bunch of tests for things like lazy-loading and a new /register API which were not present in 0.33.0

@richvdh richvdh mentioned this pull request Aug 2, 2018
Merged
@richvdh richvdh changed the base branch from release-v0.33.0 to release-v0.33.1 August 2, 2018 13:21
@richvdh richvdh merged commit a937497 into release-v0.33.1 Aug 2, 2018
richvdh added a commit that referenced this pull request Aug 2, 2018
@richvdh
Merge tag 'v0.33.1'
43ecfe0 
Synapse 0.33.1 (2018-08-02)
===========================

SECURITY FIXES
--------------

- Fix a potential issue where servers could request events for rooms they have not joined. (`#3641 <https://github.com/matrix-org/synapse/issues/3641>`_)
- Fix a potential issue where users could see events in private rooms before they joined. (`#3642 <https://github.com/matrix-org/synapse/issues/3642>`_)
@richvdh
Copy link
Member Author

richvdh commented Aug 2, 2018

Some background on this vulnerability:

A number of federation endpoints, which take both a room id and an event id, do not correctly validate that the two match. They apply authentication checks based on the room id, but return results based on the event id. It is therefore possible, given an event id, for servers to get details of events which they should not have access to.

The following endpoints are affected:

GET /federation/v1/backfill/{roomId}/?v={eventId}
GET /federation/v1/state/{roomId}/?event_id={eventId}
GET /federation/v1/state_ids/{roomId}/?event_id={eventId}
POST /federation/v1/query_auth/{roomId}/{eventId} with body {"auth_chain": []}

@richvdh richvdh deleted the rav/room_id_check branch August 2, 2018 16:58
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@erikjohnston erikjohnston erikjohnston approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@richvdh @erikjohnston