Validate the server name for the /publicRooms endpoint. (#9161)

If a remote server name is provided, ensure it is something reasonable before making remote connections to it.
author: Patrick Cloke <clokep@users.noreply.github.com> 2021-01-19 14:21:59 -0500
committer: GitHub <noreply@github.com> 2021-01-19 14:21:59 -0500
commit: 47d48a5853f3fadd90ace757e4e664097932640a (patch)
tree: 7e7c7524050ea4cd8b409525add7ce8706a8874f /synapse/rest
parent: Replace 'perspectives' config block with 'trusted_key_servers' in docker home... (diff)
download: synapse-47d48a5853f3fadd90ace757e4e664097932640a.tar.xz
1 files changed, 17 insertions, 2 deletions
diff --git a/synapse/rest/client/v1/room.py b/synapse/rest/client/v1/room.py
index 5647e8c577..e6725b03b0 100644
--- a/synapse/rest/client/v1/room.py
+++ b/synapse/rest/client/v1/room.py
@@ -32,6 +32,7 @@ from synapse.api.errors import (
 )
 from synapse.api.filtering import Filter
 from synapse.events.utils import format_event_for_client_v2
+from synapse.http.endpoint import parse_and_validate_server_name
 from synapse.http.servlet import (
     RestServlet,
     assert_params_in_dict,
@@ -347,8 +348,6 @@ class PublicRoomListRestServlet(TransactionRestServlet):
             # provided.
             if server:
                 raise e
-            else:
-                pass
 
         limit = parse_integer(request, "limit", 0)
         since_token = parse_string(request, "since", None)
@@ -359,6 +358,14 @@ class PublicRoomListRestServlet(TransactionRestServlet):
 
         handler = self.hs.get_room_list_handler()
         if server and server != self.hs.config.server_name:
+            # Ensure the server is valid.
+            try:
+                parse_and_validate_server_name(server)
+            except ValueError:
+                raise SynapseError(
+                    400, "Invalid server name: %s" % (server,), Codes.INVALID_PARAM,
+                )
+
             try:
                 data = await handler.get_remote_public_room_list(
                     server, limit=limit, since_token=since_token
@@ -402,6 +409,14 @@ class PublicRoomListRestServlet(TransactionRestServlet):
 
         handler = self.hs.get_room_list_handler()
         if server and server != self.hs.config.server_name:
+            # Ensure the server is valid.
+            try:
+                parse_and_validate_server_name(server)
+            except ValueError:
+                raise SynapseError(
+                    400, "Invalid server name: %s" % (server,), Codes.INVALID_PARAM,
+                )
+
             try:
                 data = await handler.get_remote_public_room_list(
                     server,
author	Patrick Cloke <clokep@users.noreply.github.com>	2021-01-19 14:21:59 -0500
committer	GitHub <noreply@github.com>	2021-01-19 14:21:59 -0500
commit	47d48a5853f3fadd90ace757e4e664097932640a (patch)
tree	7e7c7524050ea4cd8b409525add7ce8706a8874f /synapse/rest
parent	Replace 'perspectives' config block with 'trusted_key_servers' in docker home... (diff)
download	synapse-47d48a5853f3fadd90ace757e4e664097932640a.tar.xz