summary refs log tree commit diff
path: root/synapse/rest/consent
diff options
context:
space:
mode:
authorPatrick Cloke <patrickc@matrix.org>2020-07-02 10:54:29 -0400
committerPatrick Cloke <patrickc@matrix.org>2020-07-02 10:54:29 -0400
commitfedb632d0a22e4bad179a9b48be28a3a552315c9 (patch)
tree9f05e09e55851f8e272a5e1f722472f5aef04050 /synapse/rest/consent
parentUpdate postgres in the Docker compose example to 12-alpine. (#7696) (diff)
parentRemove an extraneous space. (diff)
downloadsynapse-fedb632d0a22e4bad179a9b48be28a3a552315c9.tar.xz
Merge tag 'v1.15.2'
Synapse 1.15.2 (2020-07-02)
===========================

Due to the two security issues highlighted below, server administrators are
encouraged to update Synapse. We are not aware of these vulnerabilities being
exploited in the wild.

Security advisory
-----------------

* A malicious homeserver could force Synapse to reset the state in a room to a
  small subset of the correct state. This affects all Synapse deployments which
  federate with untrusted servers. ([96e9afe6](https://github.com/matrix-org/synapse/commit/96e9afe62500310977dc3cbc99a8d16d3d2fa15c))
* HTML pages served via Synapse were vulnerable to clickjacking attacks. This
  predominantly affects homeservers with single-sign-on enabled, but all server
  administrators are encouraged to upgrade. ([ea26e9a9](https://github.com/matrix-org/synapse/commit/ea26e9a98b0541fc886a1cb826a38352b7599dbe))

  This was reported by [Quentin Gliech](https://sandhose.fr/).
Diffstat (limited to 'synapse/rest/consent')
-rw-r--r--synapse/rest/consent/consent_resource.py10
1 files changed, 3 insertions, 7 deletions
diff --git a/synapse/rest/consent/consent_resource.py b/synapse/rest/consent/consent_resource.py
index 1ddf9997ff..4a20282d1b 100644
--- a/synapse/rest/consent/consent_resource.py
+++ b/synapse/rest/consent/consent_resource.py
@@ -29,7 +29,7 @@ from synapse.api.errors import NotFoundError, StoreError, SynapseError
 from synapse.config import ConfigError
 from synapse.http.server import (
     DirectServeResource,
-    finish_request,
+    respond_with_html,
     wrap_html_request_handler,
 )
 from synapse.http.servlet import parse_string
@@ -197,12 +197,8 @@ class ConsentResource(DirectServeResource):
         template_html = self._jinja_env.get_template(
             path.join(TEMPLATE_LANGUAGE, template_name)
         )
-        html_bytes = template_html.render(**template_args).encode("utf8")
-
-        request.setHeader(b"Content-Type", b"text/html; charset=utf-8")
-        request.setHeader(b"Content-Length", b"%i" % len(html_bytes))
-        request.write(html_bytes)
-        finish_request(request)
+        html = template_html.render(**template_args)
+        respond_with_html(request, 200, html)
 
     def _check_hash(self, userid, userhmac):
         """