diff options
| author | Patrick Cloke <clokep@users.noreply.github.com> | 2021-01-19 14:21:59 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-19 14:21:59 -0500 |
| commit | 47d48a5853f3fadd90ace757e4e664097932640a (patch) | |
| tree | 7e7c7524050ea4cd8b409525add7ce8706a8874f | |
| parent | Replace 'perspectives' config block with 'trusted_key_servers' in docker home... (diff) | |
| download | synapse-47d48a5853f3fadd90ace757e4e664097932640a.tar.xz | |
Validate the server name for the /publicRooms endpoint. (#9161)
If a remote server name is provided, ensure it is something reasonable before making remote connections to it.
| -rw-r--r-- | changelog.d/9161.bugfix | 1 | ||||
| -rw-r--r-- | synapse/rest/client/v1/room.py | 19 |
2 files changed, 18 insertions, 2 deletions
diff --git a/changelog.d/9161.bugfix b/changelog.d/9161.bugfix new file mode 100644 index 0000000000..6798126b7c --- /dev/null +++ b/changelog.d/9161.bugfix @@ -0,0 +1 @@ +Fix a long-standing bug "ValueError: invalid literal for int() with base 10" when `/publicRooms` is requested with an invalid `server` parameter. diff --git a/synapse/rest/client/v1/room.py b/synapse/rest/client/v1/room.py index 5647e8c577..e6725b03b0 100644 --- a/synapse/rest/client/v1/room.py +++ b/synapse/rest/client/v1/room.py @@ -32,6 +32,7 @@ from synapse.api.errors import ( ) from synapse.api.filtering import Filter from synapse.events.utils import format_event_for_client_v2 +from synapse.http.endpoint import parse_and_validate_server_name from synapse.http.servlet import ( RestServlet, assert_params_in_dict, @@ -347,8 +348,6 @@ class PublicRoomListRestServlet(TransactionRestServlet): # provided. if server: raise e - else: - pass limit = parse_integer(request, "limit", 0) since_token = parse_string(request, "since", None) @@ -359,6 +358,14 @@ class PublicRoomListRestServlet(TransactionRestServlet): handler = self.hs.get_room_list_handler() if server and server != self.hs.config.server_name: + # Ensure the server is valid. + try: + parse_and_validate_server_name(server) + except ValueError: + raise SynapseError( + 400, "Invalid server name: %s" % (server,), Codes.INVALID_PARAM, + ) + try: data = await handler.get_remote_public_room_list( server, limit=limit, since_token=since_token @@ -402,6 +409,14 @@ class PublicRoomListRestServlet(TransactionRestServlet): handler = self.hs.get_room_list_handler() if server and server != self.hs.config.server_name: + # Ensure the server is valid. + try: + parse_and_validate_server_name(server) + except ValueError: + raise SynapseError( + 400, "Invalid server name: %s" % (server,), Codes.INVALID_PARAM, + ) + try: data = await handler.get_remote_public_room_list( server, |