diff options
author | Richard van der Hoff <richard@matrix.org> | 2020-10-13 22:02:41 +0100 |
---|---|---|
committer | Richard van der Hoff <richard@matrix.org> | 2020-10-13 23:24:50 +0100 |
commit | 898196f1cca419c0d2b60529c86ddff3cea83072 (patch) | |
tree | 83685785d64861d6d227e0e5b6db6ef1e20f0332 /synapse | |
parent | Allow ThirdPartyRules modules to replace event content (diff) | |
download | synapse-898196f1cca419c0d2b60529c86ddff3cea83072.tar.xz |
guard against accidental modification
Diffstat (limited to '')
-rw-r--r-- | synapse/events/__init__.py | 6 | ||||
-rw-r--r-- | synapse/events/third_party_rules.py | 7 |
2 files changed, 10 insertions, 3 deletions
diff --git a/synapse/events/__init__.py b/synapse/events/__init__.py index 7a51d0a22f..65df62107f 100644 --- a/synapse/events/__init__.py +++ b/synapse/events/__init__.py @@ -312,6 +312,12 @@ class EventBase(metaclass=abc.ABCMeta): """ return [e for e, _ in self.auth_events] + def freeze(self): + """'Freeze' the event dict, so it cannot be modified by accident""" + + # this will be a no-op if the event dict is already frozen. + self._dict = freeze(self._dict) + class FrozenEvent(EventBase): format_version = EventFormatVersions.V1 # All events of this type are V1 diff --git a/synapse/events/third_party_rules.py b/synapse/events/third_party_rules.py index a9aabe00df..77fbd3f68a 100644 --- a/synapse/events/third_party_rules.py +++ b/synapse/events/third_party_rules.py @@ -69,9 +69,10 @@ class ThirdPartyEventRules: events = await self.store.get_events(prev_state_ids.values()) state_events = {(ev.type, ev.state_key): ev for ev in events.values()} - # The module can modify the event slightly if it wants, but caution should be - # exercised, and it's likely to go very wrong if applied to events received over - # federation. + # Ensure that the event is frozen, to make sure that the module is not tempted + # to try to modify it. Any attempt to modify it at this point will invalidate + # the hashes and signatures. + event.freeze() return await self.third_party_rules.check_event_allowed(event, state_events) |