diff options
| author | Richard van der Hoff <richard@matrix.org> | 2018-08-02 15:40:44 +0100 |
|---|---|---|
| committer | Richard van der Hoff <richard@matrix.org> | 2018-08-02 15:40:44 +0100 |
| commit | 43ecfe0b1028fea5e4dda197f5631aed67182ee6 (patch) | |
| tree | 46e83aa83aa98e2729a2b455bbb5555d35ff1888 /synapse/storage | |
| parent | Merge pull request #3594 from matrix-org/richvdh-patch-1 (diff) | |
| parent | changelog: this is a security release (diff) | |
| download | synapse-43ecfe0b1028fea5e4dda197f5631aed67182ee6.tar.xz | |
Merge tag 'v0.33.1'
Synapse 0.33.1 (2018-08-02) =========================== SECURITY FIXES -------------- - Fix a potential issue where servers could request events for rooms they have not joined. (`#3641 <https://github.com/matrix-org/synapse/issues/3641>`_) - Fix a potential issue where users could see events in private rooms before they joined. (`#3642 <https://github.com/matrix-org/synapse/issues/3642>`_)
Diffstat (limited to 'synapse/storage')
| -rw-r--r-- | synapse/storage/event_federation.py | 1 | ||||
| -rw-r--r-- | synapse/storage/events_worker.py | 20 |
2 files changed, 15 insertions, 6 deletions
diff --git a/synapse/storage/event_federation.py b/synapse/storage/event_federation.py index 8d366d1b91..7cd77c1c29 100644 --- a/synapse/storage/event_federation.py +++ b/synapse/storage/event_federation.py @@ -343,6 +343,7 @@ class EventFederationWorkerStore(EventsWorkerStore, SignatureWorkerStore, table="events", keyvalues={ "event_id": event_id, + "room_id": room_id, }, retcol="depth", allow_none=True, diff --git a/synapse/storage/events_worker.py b/synapse/storage/events_worker.py index 67433606c6..6b8a8e908f 100644 --- a/synapse/storage/events_worker.py +++ b/synapse/storage/events_worker.py @@ -19,7 +19,7 @@ from canonicaljson import json from twisted.internet import defer -from synapse.api.errors import SynapseError +from synapse.api.errors import NotFoundError # these are only included to make the type annotations work from synapse.events import EventBase # noqa: F401 from synapse.events import FrozenEvent @@ -76,7 +76,7 @@ class EventsWorkerStore(SQLBaseStore): @defer.inlineCallbacks def get_event(self, event_id, check_redacted=True, get_prev_content=False, allow_rejected=False, - allow_none=False): + allow_none=False, check_room_id=None): """Get an event from the database by event_id. Args: @@ -87,7 +87,9 @@ class EventsWorkerStore(SQLBaseStore): include the previous states content in the unsigned field. allow_rejected (bool): If True return rejected events. allow_none (bool): If True, return None if no event found, if - False throw an exception. + False throw a NotFoundError + check_room_id (str|None): if not None, check the room of the found event. + If there is a mismatch, behave as per allow_none. Returns: Deferred : A FrozenEvent. @@ -99,10 +101,16 @@ class EventsWorkerStore(SQLBaseStore): allow_rejected=allow_rejected, ) - if not events and not allow_none: - raise SynapseError(404, "Could not find event %s" % (event_id,)) + event = events[0] if events else None - defer.returnValue(events[0] if events else None) + if event is not None and check_room_id is not None: + if event.room_id != check_room_id: + event = None + + if event is None and not allow_none: + raise NotFoundError("Could not find event %s" % (event_id,)) + + defer.returnValue(event) @defer.inlineCallbacks def get_events(self, event_ids, check_redacted=True, |