From 61fb2127295d6af587c4835591285d3cfbcffc20 Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Wed, 10 May 2023 14:23:16 -0400 Subject: [PATCH 1/5] Do not error if sending an invalid membership event. --- synapse/event_auth.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/synapse/event_auth.py b/synapse/event_auth.py index 25898b95a570..cbb458609f47 100644 --- a/synapse/event_auth.py +++ b/synapse/event_auth.py @@ -1054,9 +1054,14 @@ def _verify_third_party_invite( """ if "third_party_invite" not in event.content: return False - if "signed" not in event.content["third_party_invite"]: + third_party_invite = event.content["third_party_invite"] + if not isinstance(third_party_invite, collections.abc.Mapping): + return False + if "signed" not in third_party_invite: + return False + signed = third_party_invite["signed"] + if not isinstance(signed, collections.abc.Mapping): return False - signed = event.content["third_party_invite"]["signed"] for key in {"mxid", "token"}: if key not in signed: return False From 3c9ec0b25255d92ad6eb5ceeb43707f5d2aa23af Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Wed, 10 May 2023 14:23:32 -0400 Subject: [PATCH 2/5] Remove identity check. --- synapse/event_auth.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/synapse/event_auth.py b/synapse/event_auth.py index cbb458609f47..9dc80f40f128 100644 --- a/synapse/event_auth.py +++ b/synapse/event_auth.py @@ -1080,8 +1080,6 @@ def _verify_third_party_invite( if signed["mxid"] != event.state_key: return False - if signed["token"] != token: - return False for public_key_object in get_public_keys(invite_event): public_key = public_key_object["public_key"] From 748e9b60e2091aeb587b34be2cd16e6c4ce7d269 Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Wed, 10 May 2023 14:25:28 -0400 Subject: [PATCH 3/5] Newsfragment --- changelog.d/15564.bugfix | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/15564.bugfix diff --git a/changelog.d/15564.bugfix b/changelog.d/15564.bugfix new file mode 100644 index 000000000000..667114ba421f --- /dev/null +++ b/changelog.d/15564.bugfix @@ -0,0 +1 @@ +Fix a long-standing bug where an invalid membership event could cause an internal server error. From c07565734609698386a1493dd459582d32e495df Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Fri, 12 May 2023 09:53:19 -0400 Subject: [PATCH 4/5] Fix type hint. --- synapse/event_auth.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/synapse/event_auth.py b/synapse/event_auth.py index 9dc80f40f128..a25e94254284 100644 --- a/synapse/event_auth.py +++ b/synapse/event_auth.py @@ -1091,7 +1091,9 @@ def _verify_third_party_invite( verify_key = decode_verify_key_bytes( key_name, decode_base64(public_key) ) - verify_signed_json(signed, server, verify_key) + # verify_signed_json incorrectly states it wants a dict, it + # just needs a mapping. + verify_signed_json(signed, server, verify_key) # type: ignore[arg-type] # We got the public key from the invite, so we know that the # correct server signed the signed bundle. From 45b0bbf89d8722ced60127809e24c70ef6309fa1 Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Mon, 15 May 2023 11:05:26 -0400 Subject: [PATCH 5/5] Also check for signatures. --- synapse/event_auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/synapse/event_auth.py b/synapse/event_auth.py index a25e94254284..b4b43ec4d720 100644 --- a/synapse/event_auth.py +++ b/synapse/event_auth.py @@ -1062,7 +1062,7 @@ def _verify_third_party_invite( signed = third_party_invite["signed"] if not isinstance(signed, collections.abc.Mapping): return False - for key in {"mxid", "token"}: + for key in {"mxid", "token", "signatures"}: if key not in signed: return False