Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Synapse allows invalid characters in the signature key id #8307

Open
timokoesters opened this issue Sep 13, 2020 · 1 comment
Open

Synapse allows invalid characters in the signature key id #8307

timokoesters opened this issue Sep 13, 2020 · 1 comment
Labels
A-Spec-Compliance places where synapse does not conform to the spec A-Validation 500 (mostly) errors due to lack of event/parameter validation S-Minor Blocks non-critical functionality, workarounds exist. S-Tolerable Minor significance, cosmetic issues, low or no impact to users. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. Z-Cleanup Things we want to get rid of, but aren't actively causing pain
Milestone
Validate data pas...

Comments

@timokoesters
Copy link

Synapse seems to accept more characters in the signature key id than the spec allows (for example +).

In Matrix HQ there's an event with signatures like this:

        "signatures": {
            "solver.nu": {
                "ed25519:i+b2": "eodPQHXrns8Jk0XITTlaB61XdjxJW8uCi7paKqgrJmA5ok0NfsRw4Zhyx9RaIs/e7tZMJ29O46oh0IRx6jwZCQ"
            }
        }

But the spec says only [a-zA-Z0-9_] is allowed (https://matrix.org/docs/spec/server_server/r0.1.4#post-matrix-key-v2-query)
@erikjohnston erikjohnston added z-bug (Deprecated Label) z-p2 (Deprecated Label) A-Spec-Compliance places where synapse does not conform to the spec labels Sep 14, 2020
@clokep clokep changed the title Synapse allows too many characters in the signature key id Synapse allows invalid characters in the signature key id Sep 17, 2020
@ShadowJonathan ShadowJonathan mentioned this issue Sep 20, 2020
Closed
@richvdh richvdh added the A-Validation 500 (mostly) errors due to lack of event/parameter validation label Sep 24, 2020
@DMRobertson DMRobertson added S-Minor Blocks non-critical functionality, workarounds exist. S-Tolerable Minor significance, cosmetic issues, low or no impact to users. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. Z-Cleanup Things we want to get rid of, but aren't actively causing pain and removed z-bug (Deprecated Label) z-p2 (Deprecated Label) labels Aug 25, 2022
@DMRobertson
Copy link
Contributor

Related: matrix-org/matrix-spec-proposals#1597 proposes a formal grammar (which I think is slightly wider).

@matrixbot matrixbot mentioned this issue Dec 21, 2023
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
A-Spec-Compliance places where synapse does not conform to the spec A-Validation 500 (mostly) errors due to lack of event/parameter validation S-Minor Blocks non-critical functionality, workarounds exist. S-Tolerable Minor significance, cosmetic issues, low or no impact to users. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. Z-Cleanup Things we want to get rid of, but aren't actively causing pain
Projects
None yet
Milestone
Validate data passed to REST endpoints
Development

No branches or pull requests
4 participants
@richvdh @erikjohnston @DMRobertson @timokoesters