-
Notifications
You must be signed in to change notification settings - Fork 383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
join_authorised_via_users_server is not protected from redactions #3373
Comments
It appears that sending a new join event might partially "fix" it: servers that joined after a new member event was sent (which is not redacted, but doesn't have a note: I haven't looked into what actually happened inside synapse, so "reject" means "user can't see event" |
Only an initial join needs that field, subsequent joins do not need to include it (since |
Well yes, but the initial join was not valid anymore when the new member event was sent. New servers accept the last join event even though they reject the earlier redacted one. |
This feels like a small enough oversight where we can patch it into the v8 spec when that gets written. Some rooms might be affected, but considering it's not even in the spec yet I'm not too worried about them (the fix also seems to be to leave and get rejoined). |
I don't think we can just patch it in because event IDs are based on the redaction algorithm, so if we change the redaction algorithm, servers will disagree about the event IDs for those events. |
oh, good point. |
I did some testing with this:
So this effectively split brains the room. Going through the above with a patch to avoid redacting the Unfortunately I think the only recourse here is to abandon the v8 room version and fix it in another one, unless someone has a more clever solution! |
for links, |
See #3375 for a fix to this. 😢 |
For links: v8 was introduced by #3289 |
Room v8 added
join_authorised_via_users_server
tom.room.member
events to help with authorizing restricted room join events. However, the field isn't protected from redactions, which means the join event will suddenly become invalid (i.e. not pass event auth rules) if it's redacted. At least with synapse, existing servers will still see the member in the room, but any new servers will reject the event and any messages that the user sends.The text was updated successfully, but these errors were encountered: