Parse the ID given to /invite|ban|kick to make sure it looks like a user ID.

author: Kegan Dougal <kegan@matrix.org> 2015-07-20 13:55:19 +0100
committer: Kegan Dougal <kegan@matrix.org> 2015-07-20 13:55:19 +0100
commit: b6ee0585bd0329e1841196b8e8a893630e1850d6 (patch)
tree: ff4f0d2ecb2d930e7feb1145dc70ed53f5c5e27e /synapse/rest/client/v1
parent: Up default cache size for _RoomStreamChangeCache (diff)
download: synapse-b6ee0585bd0329e1841196b8e8a893630e1850d6.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/synapse/rest/client/v1/room.py b/synapse/rest/client/v1/room.py
index 0346afb1b4..639795df28 100644
--- a/synapse/rest/client/v1/room.py
+++ b/synapse/rest/client/v1/room.py
@@ -412,6 +412,8 @@ class RoomMembershipRestServlet(ClientV1RestServlet):
             if "user_id" not in content:
                 raise SynapseError(400, "Missing user_id key.")
             state_key = content["user_id"]
+            # make sure it looks like a user ID; it'll throw if it's invalid.
+            UserID.from_string(state_key);
 
             if membership_action == "kick":
                 membership_action = "leave"
author	Kegan Dougal <kegan@matrix.org>	2015-07-20 13:55:19 +0100
committer	Kegan Dougal <kegan@matrix.org>	2015-07-20 13:55:19 +0100
commit	b6ee0585bd0329e1841196b8e8a893630e1850d6 (patch)
tree	ff4f0d2ecb2d930e7feb1145dc70ed53f5c5e27e /synapse/rest/client/v1
parent	Up default cache size for _RoomStreamChangeCache (diff)
download	synapse-b6ee0585bd0329e1841196b8e8a893630e1850d6.tar.xz