Only do restricted join rules signature checks for room versions 8/9. (#10927)

Otherwise the presence of a (bogus, unused) field could cause auth checks to fail.
author: Patrick Cloke <clokep@users.noreply.github.com> 2021-09-28 08:44:19 -0400
committer: GitHub <noreply@github.com> 2021-09-28 08:44:19 -0400
commit: c3ccad7785cd71372673136f329d5fa098ab9f04 (patch)
tree: 64fd0b11295621940cfcac286a9b30b64d16f2da
parent: Fix debian package builds. (#10931) (diff)
download: synapse-c3ccad7785cd71372673136f329d5fa098ab9f04.tar.xz
2 files changed, 3 insertions, 1 deletions
diff --git a/changelog.d/10927.bugfix b/changelog.d/10927.bugfix
new file mode 100644
index 0000000000..fd24288c54
--- /dev/null
+++ b/changelog.d/10927.bugfix
@@ -0,0 +1 @@
+Fix a bug introduced in Synapse v1.40.0 where the signature checks for room version 8/9 could be applied to earlier room versions in some situations.
diff --git a/synapse/event_auth.py b/synapse/event_auth.py
index fc50a0e71a..5d7c6fa858 100644
--- a/synapse/event_auth.py
+++ b/synapse/event_auth.py
@@ -113,7 +113,8 @@ def check(
                 raise AuthError(403, "Event not signed by sending server")
 
         is_invite_via_allow_rule = (
-            event.type == EventTypes.Member
+            room_version_obj.msc3083_join_rules
+            and event.type == EventTypes.Member
             and event.membership == Membership.JOIN
             and "join_authorised_via_users_server" in event.content
         )
author	Patrick Cloke <clokep@users.noreply.github.com>	2021-09-28 08:44:19 -0400
committer	GitHub <noreply@github.com>	2021-09-28 08:44:19 -0400
commit	c3ccad7785cd71372673136f329d5fa098ab9f04 (patch)
tree	64fd0b11295621940cfcac286a9b30b64d16f2da
parent	Fix debian package builds. (#10931) (diff)
download	synapse-c3ccad7785cd71372673136f329d5fa098ab9f04.tar.xz