diff options
author | Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> | 2019-09-20 10:46:59 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-09-20 10:46:59 +0100 |
commit | aeb40f355c8590855eeca05b49bfff2b91faa85b (patch) | |
tree | c2b0fa901f47dd6daa8bddb76601a4af4600d5e4 | |
parent | Drop support for bind param on POST /account/3pid (MSC2290) (#6067) (diff) | |
download | synapse-aeb40f355c8590855eeca05b49bfff2b91faa85b.tar.xz |
Ensure email validation link parameters are URL-encoded (#6063)
The validation links sent via email had their query parameters inserted without any URL-encoding. Surprisingly this didn't seem to cause any issues, but if a user were to put a `/` in their client_secret it could lead to problems.
Diffstat (limited to '')
-rw-r--r-- | changelog.d/6063.bugfix | 1 | ||||
-rw-r--r-- | synapse/push/mailer.py | 10 |
2 files changed, 7 insertions, 4 deletions
diff --git a/changelog.d/6063.bugfix b/changelog.d/6063.bugfix new file mode 100644 index 0000000000..7485e32a2c --- /dev/null +++ b/changelog.d/6063.bugfix @@ -0,0 +1 @@ +Ensure query parameters in email validation links are URL-encoded. \ No newline at end of file diff --git a/synapse/push/mailer.py b/synapse/push/mailer.py index 3dfd527849..2437235dc4 100644 --- a/synapse/push/mailer.py +++ b/synapse/push/mailer.py @@ -136,10 +136,11 @@ class Mailer(object): group together multiple email sending attempts sid (str): The generated session ID """ + params = {"token": token, "client_secret": client_secret, "sid": sid} link = ( self.hs.config.public_baseurl - + "_matrix/client/unstable/password_reset/email/submit_token" - "?token=%s&client_secret=%s&sid=%s" % (token, client_secret, sid) + + "_matrix/client/unstable/password_reset/email/submit_token?%s" + % urllib.parse.urlencode(params) ) template_vars = {"link": link} @@ -163,10 +164,11 @@ class Mailer(object): group together multiple email sending attempts sid (str): The generated session ID """ + params = {"token": token, "client_secret": client_secret, "sid": sid} link = ( self.hs.config.public_baseurl - + "_matrix/client/unstable/registration/email/submit_token" - "?token=%s&client_secret=%s&sid=%s" % (token, client_secret, sid) + + "_matrix/client/unstable/registration/email/submit_token?%s" + % urllib.parse.urlencode(params) ) template_vars = {"link": link} |