summary refs log tree commit diff
diff options
context:
space:
mode:
authorErik Johnston <erikj@jki.re>2016-09-08 15:17:24 +0100
committerGitHub <noreply@github.com>2016-09-08 15:17:24 +0100
commitd987353840444967b29b8a94242c1613ab8914e8 (patch)
tree93b3d737d39697dacd43e222b2dab7d899d432b4
parentMerge pull request #1074 from matrix-org/markjh/direct_to_device_federation (diff)
parentCheck the user_id for presence/typing matches origin (diff)
downloadsynapse-d987353840444967b29b8a94242c1613ab8914e8.tar.xz
Merge pull request #1083 from matrix-org/erikj/check_origin
Check the user_id for presence/typing matches origin
-rw-r--r--synapse/handlers/presence.py7
-rw-r--r--synapse/handlers/typing.py9
2 files changed, 15 insertions, 1 deletions
diff --git a/synapse/handlers/presence.py b/synapse/handlers/presence.py
index da9f0da69e..7a3c16a8aa 100644
--- a/synapse/handlers/presence.py
+++ b/synapse/handlers/presence.py
@@ -651,6 +651,13 @@ class PresenceHandler(object):
                 )
                 continue
 
+            if get_domain_from_id(user_id) != origin:
+                logger.info(
+                    "Got presence update from %r with bad 'user_id': %r",
+                    origin, user_id,
+                )
+                continue
+
             presence_state = push.get("presence", None)
             if not presence_state:
                 logger.info(
diff --git a/synapse/handlers/typing.py b/synapse/handlers/typing.py
index 0b530b9034..3b687957dd 100644
--- a/synapse/handlers/typing.py
+++ b/synapse/handlers/typing.py
@@ -199,7 +199,14 @@ class TypingHandler(object):
         user_id = content["user_id"]
 
         # Check that the string is a valid user id
-        UserID.from_string(user_id)
+        user = UserID.from_string(user_id)
+
+        if user.domain != origin:
+            logger.info(
+                "Got typing update from %r with bad 'user_id': %r",
+                origin, user_id,
+            )
+            return
 
         users = yield self.state.get_current_user_in_room(room_id)
         domains = set(get_domain_from_id(u) for u in users)