diff options
| author | Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> | 2020-08-18 14:14:27 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-08-18 14:14:27 +0100 |
| commit | 5cf7c1299541d4b5ca5b3ac547a300a87465c7e5 (patch) | |
| tree | a03a9d2728e2aa0fbfe9a9a03165fab8d23f21a3 | |
| parent | Rename changelog from bugfix to misc. (diff) | |
| download | synapse-5cf7c1299541d4b5ca5b3ac547a300a87465c7e5.tar.xz | |
Remove : from allowed client_secret chars (#8101)
Closes: https://github.com/matrix-org/synapse/issues/6766 Equivalent Sydent PR: https://github.com/matrix-org/sydent/pull/309 I believe it's now time to remove the extra allowed `:` from `client_secret` parameters.
| -rw-r--r-- | CHANGES.md | 14 | ||||
| -rw-r--r-- | changelog.d/8101.bugfix | 1 | ||||
| -rw-r--r-- | synapse/util/stringutils.py | 4 | ||||
| -rw-r--r-- | tests/util/test_stringutils.py | 3 |
4 files changed, 16 insertions, 6 deletions
diff --git a/CHANGES.md b/CHANGES.md index d4cc179489..c1b8673c04 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,17 @@ +For the next release +==================== + +Removal warning +--------------- + +Some older clients used a +[disallowed character](https://matrix.org/docs/spec/client_server/r0.6.1#post-matrix-client-r0-register-email-requesttoken) +(`:`) in the `client_secret` parameter of various endpoints. The incorrect +behaviour was allowed for backwards compatibility, but is now being removed +from Synapse as most users have updated their client. Further context can be +found at [\#6766](https://github.com/matrix-org/synapse/issues/6766). + + Synapse 1.19.0 (2020-08-17) =========================== diff --git a/changelog.d/8101.bugfix b/changelog.d/8101.bugfix new file mode 100644 index 0000000000..703bba4234 --- /dev/null +++ b/changelog.d/8101.bugfix @@ -0,0 +1 @@ +Synapse now correctly enforces the valid characters in the `client_secret` parameter used in various endpoints. diff --git a/synapse/util/stringutils.py b/synapse/util/stringutils.py index 2e2b40a426..61d96a6c28 100644 --- a/synapse/util/stringutils.py +++ b/synapse/util/stringutils.py @@ -24,9 +24,7 @@ from synapse.api.errors import Codes, SynapseError _string_with_symbols = string.digits + string.ascii_letters + ".,;:^&*-_+=#~@" # https://matrix.org/docs/spec/client_server/r0.6.0#post-matrix-client-r0-register-email-requesttoken -# Note: The : character is allowed here for older clients, but will be removed in a -# future release. Context: https://github.com/matrix-org/synapse/issues/6766 -client_secret_regex = re.compile(r"^[0-9a-zA-Z\.\=\_\-\:]+$") +client_secret_regex = re.compile(r"^[0-9a-zA-Z\.\=\_\-]+$") # random_string and random_string_with_symbols are used for a range of things, # some cryptographically important, some less so. We use SystemRandom to make sure diff --git a/tests/util/test_stringutils.py b/tests/util/test_stringutils.py index 4f4da29a98..8491f7cc83 100644 --- a/tests/util/test_stringutils.py +++ b/tests/util/test_stringutils.py @@ -28,9 +28,6 @@ class StringUtilsTestCase(unittest.TestCase): "_--something==_", "...--==-18913", "8Dj2odd-e9asd.cd==_--ddas-secret-", - # We temporarily allow : characters: https://github.com/matrix-org/synapse/issues/6766 - # To be removed in a future release - "SECRET:1234567890", ] bad = [ |