summary refs log tree commit diff
path: root/synapse/rest
diff options
context:
space:
mode:
Diffstat (limited to 'synapse/rest')
-rw-r--r--synapse/rest/client/v1/register.py6
1 files changed, 6 insertions, 0 deletions
diff --git a/synapse/rest/client/v1/register.py b/synapse/rest/client/v1/register.py
index 83872f5f60..ce7099b18f 100644
--- a/synapse/rest/client/v1/register.py
+++ b/synapse/rest/client/v1/register.py
@@ -327,6 +327,12 @@ class RegisterRestServlet(ClientV1RestServlet):
         password = register_json["password"].encode("utf-8")
         admin = register_json.get("admin", None)
 
+        # Its important to check as we use null bytes as HMAC field separators
+        if "\x00" in user:
+            raise SynapseError(400, "Invalid user")
+        if "\x00" in password:
+            raise SynapseError(400, "Invalid password")
+
         # str() because otherwise hmac complains that 'unicode' does not
         # have the buffer interface
         got_mac = str(register_json["mac"])
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-06 16:33:48 +0000