diff options
author | David Robertson <davidr@element.io> | 2021-10-05 18:35:25 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-10-05 18:35:25 +0100 |
commit | 4f00432ce1a5571dd43f9ddc3ae128c58ae4d063 (patch) | |
tree | c792bee6b6bf9080ad59cd9c24a9579575eef56d /synapse/static | |
parent | Fix logic flaw preventing tracking of MSC2716 events in existing room version... (diff) | |
download | synapse-4f00432ce1a5571dd43f9ddc3ae128c58ae4d063.tar.xz |
Fix potential leak of per-room profiles when the user dir is rebuilt. (#10981)
There are two steps to rebuilding the user directory: 1. a scan over rooms, followed by 2. a scan over local users. The former reads avatars and display names from the `room_memberships` table and therefore contains potentially private avatars and display names. The latter reads from the the `profiles` table which only contains public data; moreover it will overwrite any private profiles that the rooms scan may have written to the user directory. This means that the rebuild could leak private user while the rebuild was in progress, only to later cover up the leaks once the rebuild had completed. This change skips over local users when writing user_directory rows when scanning rooms. Doing so means that it'll take longer for a rebuild to make local users searchable, which is unfortunate. I think a future PR can improve this by swapping the order of the two steps above. (And indeed there's more to do here, e.g. copying from `profiles` without going via Python.) Small tidy-ups while I'm here: * Remove duplicated code from test_initial. This was meant to be pulled into `purge_and_rebuild_user_dir`. * Move `is_public` before updating sharing tables. No functional change; it's still before the first read of `is_public`. * Don't bother creating a set from dict keys. Slightly nicer and makes the code simpler. Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
Diffstat (limited to 'synapse/static')
0 files changed, 0 insertions, 0 deletions