diff options
author | Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> | 2024-06-19 10:05:39 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-06-19 10:05:39 +0100 |
commit | afaf2d9388f7012d0500932dad0af4bdb8d40d20 (patch) | |
tree | 621d39333de8ad990945a1fe5cd40a635bafa03a /synapse/rest/client | |
parent | Revert "Support MSC3916 by adding a federation `/download` endpoint" (#17325) (diff) | |
download | synapse-afaf2d9388f7012d0500932dad0af4bdb8d40d20.tar.xz |
Require the 'from' parameter for `/notifications` be an integer (#17283)
Co-authored-by: Erik Johnston <erikj@element.io>
Diffstat (limited to 'synapse/rest/client')
-rw-r--r-- | synapse/rest/client/notifications.py | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/synapse/rest/client/notifications.py b/synapse/rest/client/notifications.py index be9b584748..168ce50d3f 100644 --- a/synapse/rest/client/notifications.py +++ b/synapse/rest/client/notifications.py @@ -32,6 +32,7 @@ from synapse.http.servlet import RestServlet, parse_integer, parse_string from synapse.http.site import SynapseRequest from synapse.types import JsonDict +from ...api.errors import SynapseError from ._base import client_patterns if TYPE_CHECKING: @@ -56,7 +57,22 @@ class NotificationsServlet(RestServlet): requester = await self.auth.get_user_by_req(request) user_id = requester.user.to_string() - from_token = parse_string(request, "from", required=False) + # While this is intended to be "string" to clients, the 'from' token + # is actually based on a numeric ID. So it must parse to an int. + from_token_str = parse_string(request, "from", required=False) + if from_token_str is not None: + # Parse to an integer. + try: + from_token = int(from_token_str) + except ValueError: + # If it doesn't parse to an integer, then this cannot possibly be a valid + # pagination token, as we only hand out integers. + raise SynapseError( + 400, 'Query parameter "from" contains unrecognised token' + ) + else: + from_token = None + limit = parse_integer(request, "limit", default=50) only = parse_string(request, "only", required=False) |