From 7a3a55ac98847d7adb0e200378abe07ef8d0c645 Mon Sep 17 00:00:00 2001
From: Patrick Cloke <clokep@users.noreply.github.com>
Date: Tue, 31 Oct 2023 09:58:30 -0400
Subject: Merge pull request from GHSA-mp92-3jfm-3575

---
 synapse/handlers/device.py | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'synapse/handlers/device.py')

diff --git a/synapse/handlers/device.py b/synapse/handlers/device.py
index 3ce96ef3cb..93472d0117 100644
--- a/synapse/handlers/device.py
+++ b/synapse/handlers/device.py
@@ -328,6 +328,9 @@ class DeviceWorkerHandler:
         return result
 
     async def on_federation_query_user_devices(self, user_id: str) -> JsonDict:
+        if not self.hs.is_mine(UserID.from_string(user_id)):
+            raise SynapseError(400, "User is not hosted on this homeserver")
+
         stream_id, devices = await self.store.get_e2e_device_keys_for_federation_query(
             user_id
         )
-- 
cgit 1.5.1