Improve validation for `send_{join,leave,knock}` (#10225)

The idea here is to stop people sending things that aren't joins/leaves/knocks through these endpoints: previously you could send anything you liked through them. I wasn't able to find any security holes from doing so, but it doesn't sound like a good thing.
author: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> 2021-06-24 15:30:49 +0100
committer: GitHub <noreply@github.com> 2021-06-24 15:30:49 +0100
commit: 6e8fb42be7657f9d4958c02d87cff865225714d2 (patch)
tree: 6f287326b09faae0ec5ced43d4718b92d4b20cf3 /synapse/federation/transport/server.py
parent: MSC2918 Refresh tokens implementation (#9450) (diff)
download: synapse-6e8fb42be7657f9d4958c02d87cff865225714d2.tar.xz
1 files changed, 6 insertions, 6 deletions
diff --git a/synapse/federation/transport/server.py b/synapse/federation/transport/server.py
index bed47f8abd..676fbd3750 100644
--- a/synapse/federation/transport/server.py
+++ b/synapse/federation/transport/server.py
@@ -553,7 +553,7 @@ class FederationV1SendLeaveServlet(BaseFederationServerServlet):
     PATH = "/send_leave/(?P<room_id>[^/]*)/(?P<event_id>[^/]*)"
 
     async def on_PUT(self, origin, content, query, room_id, event_id):
-        content = await self.handler.on_send_leave_request(origin, content)
+        content = await self.handler.on_send_leave_request(origin, content, room_id)
         return 200, (200, content)
 
 
@@ -563,7 +563,7 @@ class FederationV2SendLeaveServlet(BaseFederationServerServlet):
     PREFIX = FEDERATION_V2_PREFIX
 
     async def on_PUT(self, origin, content, query, room_id, event_id):
-        content = await self.handler.on_send_leave_request(origin, content)
+        content = await self.handler.on_send_leave_request(origin, content, room_id)
         return 200, content
 
 
@@ -602,9 +602,9 @@ class FederationV1SendJoinServlet(BaseFederationServerServlet):
     PATH = "/send_join/(?P<room_id>[^/]*)/(?P<event_id>[^/]*)"
 
     async def on_PUT(self, origin, content, query, room_id, event_id):
-        # TODO(paul): assert that room_id/event_id parsed from path actually
+        # TODO(paul): assert that event_id parsed from path actually
         #   match those given in content
-        content = await self.handler.on_send_join_request(origin, content)
+        content = await self.handler.on_send_join_request(origin, content, room_id)
         return 200, (200, content)
 
 
@@ -614,9 +614,9 @@ class FederationV2SendJoinServlet(BaseFederationServerServlet):
     PREFIX = FEDERATION_V2_PREFIX
 
     async def on_PUT(self, origin, content, query, room_id, event_id):
-        # TODO(paul): assert that room_id/event_id parsed from path actually
+        # TODO(paul): assert that event_id parsed from path actually
         #   match those given in content
-        content = await self.handler.on_send_join_request(origin, content)
+        content = await self.handler.on_send_join_request(origin, content, room_id)
         return 200, content
author	Richard van der Hoff <1389908+richvdh@users.noreply.github.com>	2021-06-24 15:30:49 +0100
committer	GitHub <noreply@github.com>	2021-06-24 15:30:49 +0100
commit	6e8fb42be7657f9d4958c02d87cff865225714d2 (patch)
tree	6f287326b09faae0ec5ced43d4718b92d4b20cf3 /synapse/federation/transport/server.py
parent	MSC2918 Refresh tokens implementation (#9450) (diff)
download	synapse-6e8fb42be7657f9d4958c02d87cff865225714d2.tar.xz