Merge branch 'release-v1.14.0' of github.com:matrix-org/synapse into dinsic-release-v1.14.x

* 'release-v1.14.0' of github.com:matrix-org/synapse: (108 commits)
  Fix typo in PR link
  Update debian changelog
  1.14.0
  Improve changelog wording
  1.14.0rc2
  Fix sample config docs error (#7581)
  Fix up comments
  Fix specifying cache factors via env vars with * in name. (#7580)
  Don't apply cache factor to event cache. (#7578)
  Ensure ReplicationStreamer is always started when replication enabled. (#7579)
  Remove the changes to the debian changelog
  Not full release yet, this is rc1
  Merge event persistence move changelog entries
  More changelog fix
  Changelog fixes
  1.14.0
  Replace device_27_unique_idx bg update with a fg one (#7562)
  Fix incorrect exception handling in KeyUploadServlet.on_POST (#7563)
  Fix recording of federation stream token (#7564)
  Simplify reap_monthly_active_users (#7558)
  ...

1 files changed, 18 insertions, 3 deletions

diff --git a/synapse/rest/client/v2_alpha/account.py b/synapse/rest/client/v2_alpha/account.py
index 61c42d0ed6..8d081718e3 100644
--- a/synapse/rest/client/v2_alpha/account.py
+++ b/synapse/rest/client/v2_alpha/account.py
@@ -224,6 +224,7 @@ class PasswordRestServlet(RestServlet):
         self.auth = hs.get_auth()
         self.auth_handler = hs.get_auth_handler()
         self.datastore = self.hs.get_datastore()
+        self.password_policy_handler = hs.get_password_policy_handler()
         self._set_password_handler = hs.get_set_password_handler()
         self.http_client = hs.get_simple_http_client()
 
@@ -231,6 +232,20 @@ class PasswordRestServlet(RestServlet):
     async def on_POST(self, request):
         body = parse_json_object_from_request(request)
 
+        # we do basic sanity checks here because the auth layer will store these
+        # in sessions. Pull out the new password provided to us.
+        if "new_password" in body:
+            new_password = body.pop("new_password")
+            if not isinstance(new_password, str) or len(new_password) > 512:
+                raise SynapseError(400, "Invalid password")
+            self.password_policy_handler.validate_password(new_password)
+
+            # If the password is valid, hash it and store it back on the body.
+            # This ensures that only the hashed password is handled everywhere.
+            if "new_password_hash" in body:
+                raise SynapseError(400, "Unexpected property: new_password_hash")
+            body["new_password_hash"] = await self.auth_handler.hash(new_password)
+
         # there are two possibilities here. Either the user does not have an
         # access token, and needs to do a password reset; or they have one and
         # need to validate their identity.
@@ -285,12 +300,12 @@ class PasswordRestServlet(RestServlet):
                 logger.error("Auth succeeded but no known type! %r", result.keys())
                 raise SynapseError(500, "", Codes.UNKNOWN)
 
-        assert_params_in_dict(params, ["new_password"])
-        new_password = params["new_password"]
+        assert_params_in_dict(params, ["new_password_hash"])
+        new_password_hash = params["new_password_hash"]
         logout_devices = params.get("logout_devices", True)
 
         await self._set_password_handler.set_password(
-            user_id, new_password, logout_devices, requester
+            user_id, new_password_hash, logout_devices, requester
         )
 
         if self.hs.config.shadow_server: