summary refs log tree commit diff
diff options
context:
space:
mode:
authorAndrew Morgan <1342360+anoadragon453@users.noreply.github.com>2020-09-29 12:02:21 +0100
committerGitHub <noreply@github.com>2020-09-29 12:02:21 +0100
commit11523b507b3fe4180e62129eb275dbda63fa7fd9 (patch)
tree9bef1500fb64894d37823c3efa0c1015ecb2af9c
parentDon't push if an user account has expired (#58) (diff)
downloadsynapse-11523b507b3fe4180e62129eb275dbda63fa7fd9.tar.xz
Only assert valid next_link params when provided (#65)
Bug introduced in https://github.com/matrix-org/synapse-dinsic/commit/ff91a451b

We were checking whether the `nextLink` param was valid, even if it wasn't provided. In that case, `nextLink` was `None`, which would clearly not be a valid URL.

This would prevent password reset and other operations if `nextLink` was not provided and the `next_link_domain_whitelist` config option was in use.
Diffstat
-rw-r--r--changelog.d/65.bugfix1
-rw-r--r--synapse/rest/client/v2_alpha/account.py15
2 files changed, 10 insertions, 6 deletions
diff --git a/changelog.d/65.bugfix b/changelog.d/65.bugfix
new file mode 100644

index 0000000000..71b498cbc8
--- /dev/null
+++ b/changelog.d/65.bugfix
@@ -0,0 +1 @@
+Fix `nextLink` parameters being checked on validation endpoints even if they weren't provided by the client.
\ No newline at end of file
diff --git a/synapse/rest/client/v2_alpha/account.py b/synapse/rest/client/v2_alpha/account.py

index 54d2c0e3b9..d4b1ee1e8c 100644
--- a/synapse/rest/client/v2_alpha/account.py
+++ b/synapse/rest/client/v2_alpha/account.py
@@ -111,8 +111,9 @@ class EmailPasswordRequestTokenRestServlet(RestServlet):
                 Codes.THREEPID_DENIED,
             )
 
-        # Raise if the provided next_link value isn't valid
-        assert_valid_next_link(self.hs, next_link)
+        if next_link:
+            # Raise if the provided next_link value isn't valid
+            assert_valid_next_link(self.hs, next_link)
 
         # The email will be sent to the stored address.
         # This avoids a potential account hijack by requesting a password reset to
@@ -462,8 +463,9 @@ class EmailThreepidRequestTokenRestServlet(RestServlet):
                 Codes.THREEPID_DENIED,
             )
 
-        # Raise if the provided next_link value isn't valid
-        assert_valid_next_link(self.hs, next_link)
+        if next_link:
+            # Raise if the provided next_link value isn't valid
+            assert_valid_next_link(self.hs, next_link)
 
         existing_user_id = await self.store.get_user_id_by_threepid("email", email)
 
@@ -533,8 +535,9 @@ class MsisdnThreepidRequestTokenRestServlet(RestServlet):
                 Codes.THREEPID_DENIED,
             )
 
-        # Raise if the provided next_link value isn't valid
-        assert_valid_next_link(self.hs, next_link)
+        if next_link:
+            # Raise if the provided next_link value isn't valid
+            assert_valid_next_link(self.hs, next_link)
 
         existing_user_id = await self.store.get_user_id_by_threepid("msisdn", msisdn)
generated by cgit-magenta 1.5.1 (git 2.48.1) at 2025-04-16 23:05:33 +0000