From 3a5b0cbe7ade000245695ec97c13ab5cb3565dc2 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> Date: Tue, 5 Oct 2021 13:23:29 +0100 Subject: Ensure that we reject events which use rejected events for auth (#10956) When we consider whether to accept events, we should not accept those which depend on rejected events for their auth events. This (together with earlier changes such as https://github.com/matrix-org/synapse/pull/10771 and https://github.com/matrix-org/synapse/pull/10896) forms a partial fix to https://github.com/matrix-org/synapse/issues/9595. There still remain code paths where we do not check the `auth_events` at all. --- synapse/event_auth.py | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'synapse') diff --git a/synapse/event_auth.py b/synapse/event_auth.py index 7a1adc2750..ca0293a3dc 100644 --- a/synapse/event_auth.py +++ b/synapse/event_auth.py @@ -155,6 +155,12 @@ def check_auth_rules_for_event( "which is in room %s" % (event.event_id, room_id, auth_event.event_id, auth_event.room_id), ) + if auth_event.rejected_reason: + raise AuthError( + 403, + "During auth for event %s: found rejected event %s in the state" + % (event.event_id, auth_event.event_id), + ) # Implementation of https://matrix.org/docs/spec/rooms/v1#authorization-rules # -- cgit 1.4.1