Validate client_secret parameter (#6767)

author: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> 2020-01-24 14:28:40 +0000
committer: GitHub <noreply@github.com> 2020-01-24 14:28:40 +0000
commit: 9f7aaf90b5ef76416852f35201a851d45eccc0a1 (patch)
tree: 642300537a9e9ea2d61000318c5fddbb1f378785 /synapse/rest/client/v2_alpha/register.py
parent: Make 'event.redacts' never raise. (#6771) (diff)
download: synapse-9f7aaf90b5ef76416852f35201a851d45eccc0a1.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/synapse/rest/client/v2_alpha/register.py b/synapse/rest/client/v2_alpha/register.py
index 1bda9aec7e..a09189b1b4 100644
--- a/synapse/rest/client/v2_alpha/register.py
+++ b/synapse/rest/client/v2_alpha/register.py
@@ -49,6 +49,7 @@ from synapse.http.servlet import (
 from synapse.push.mailer import load_jinja2_templates
 from synapse.util.msisdn import phone_number_to_msisdn
 from synapse.util.ratelimitutils import FederationRateLimiter
+from synapse.util.stringutils import assert_valid_client_secret
 from synapse.util.threepids import check_3pid_allowed
 
 from ._base import client_patterns, interactive_auth_handler
@@ -116,6 +117,8 @@ class EmailRegisterRequestTokenRestServlet(RestServlet):
 
         # Extract params from body
         client_secret = body["client_secret"]
+        assert_valid_client_secret(client_secret)
+
         email = body["email"]
         send_attempt = body["send_attempt"]
         next_link = body.get("next_link")  # Optional param
author	Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>	2020-01-24 14:28:40 +0000
committer	GitHub <noreply@github.com>	2020-01-24 14:28:40 +0000
commit	9f7aaf90b5ef76416852f35201a851d45eccc0a1 (patch)
tree	642300537a9e9ea2d61000318c5fddbb1f378785 /synapse/rest/client/v2_alpha/register.py
parent	Make 'event.redacts' never raise. (#6771) (diff)
download	synapse-9f7aaf90b5ef76416852f35201a851d45eccc0a1.tar.xz