diff options
author | Richard van der Hoff <richard@matrix.org> | 2018-08-02 15:40:44 +0100 |
---|---|---|
committer | Richard van der Hoff <richard@matrix.org> | 2018-08-02 15:40:44 +0100 |
commit | 43ecfe0b1028fea5e4dda197f5631aed67182ee6 (patch) | |
tree | 46e83aa83aa98e2729a2b455bbb5555d35ff1888 /synapse/rest/client | |
parent | Merge pull request #3594 from matrix-org/richvdh-patch-1 (diff) | |
parent | changelog: this is a security release (diff) | |
download | synapse-43ecfe0b1028fea5e4dda197f5631aed67182ee6.tar.xz |
Merge tag 'v0.33.1'
Synapse 0.33.1 (2018-08-02) =========================== SECURITY FIXES -------------- - Fix a potential issue where servers could request events for rooms they have not joined. (`#3641 <https://github.com/matrix-org/synapse/issues/3641>`_) - Fix a potential issue where users could see events in private rooms before they joined. (`#3642 <https://github.com/matrix-org/synapse/issues/3642>`_)
Diffstat (limited to 'synapse/rest/client')
-rw-r--r-- | synapse/rest/client/v1/events.py | 2 | ||||
-rw-r--r-- | synapse/rest/client/v1/room.py | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/synapse/rest/client/v1/events.py b/synapse/rest/client/v1/events.py index b70c9c2806..0f3a2e8b51 100644 --- a/synapse/rest/client/v1/events.py +++ b/synapse/rest/client/v1/events.py @@ -88,7 +88,7 @@ class EventRestServlet(ClientV1RestServlet): @defer.inlineCallbacks def on_GET(self, request, event_id): requester = yield self.auth.get_user_by_req(request) - event = yield self.event_handler.get_event(requester.user, event_id) + event = yield self.event_handler.get_event(requester.user, None, event_id) time_now = self.clock.time_msec() if event: diff --git a/synapse/rest/client/v1/room.py b/synapse/rest/client/v1/room.py index 3d62447854..2a679ac830 100644 --- a/synapse/rest/client/v1/room.py +++ b/synapse/rest/client/v1/room.py @@ -508,7 +508,7 @@ class RoomEventServlet(ClientV1RestServlet): @defer.inlineCallbacks def on_GET(self, request, room_id, event_id): requester = yield self.auth.get_user_by_req(request) - event = yield self.event_handler.get_event(requester.user, event_id) + event = yield self.event_handler.get_event(requester.user, room_id, event_id) time_now = self.clock.time_msec() if event: |