Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Check room visibility for /event/ requests #3642

Merged
merged 2 commits into from
Aug 2, 2018
Merged

Check room visibility for /event/ requests #3642

merged 2 commits into from
Aug 2, 2018

Conversation

richvdh
Copy link
Member

@richvdh richvdh commented Aug 2, 2018

Make sure that the user has permission to view the requeseted event for
/event/{eventId} and /room/{roomId}/event/{eventId} requests.

Also check that the event is in the given room for
/room/{roomId}/event/{eventId}, for sanity.

@richvdh
Check room visibility for /event/ requests
0bf5ec0 
Make sure that the user has permission to view the requeseted event for
/event/{eventId} and /room/{roomId}/event/{eventId} requests.

Also check that the event is in the given room for
/room/{roomId}/event/{eventId}, for sanity.
@richvdh richvdh requested a review from erikjohnston August 2, 2018 14:06
richvdh added a commit to matrix-org/sytest that referenced this pull request Aug 2, 2018
@richvdh
test that /event requests respect history vis
63a9c38 
regression test for matrix-org/synapse#3642
@richvdh richvdh mentioned this pull request Aug 2, 2018
Merged
@richvdh richvdh merged commit 50d9d97 into release-v0.33.1 Aug 2, 2018
@richvdh richvdh deleted the rav/another_room_id_check branch August 2, 2018 14:22
richvdh added a commit that referenced this pull request Aug 2, 2018
@richvdh
Merge tag 'v0.33.1'
43ecfe0 
Synapse 0.33.1 (2018-08-02)
===========================

SECURITY FIXES
--------------

- Fix a potential issue where servers could request events for rooms they have not joined. (`#3641 <https://github.com/matrix-org/synapse/issues/3641>`_)
- Fix a potential issue where users could see events in private rooms before they joined. (`#3642 <https://github.com/matrix-org/synapse/issues/3642>`_)
@richvdh
Copy link
Member Author

richvdh commented Aug 2, 2018

Some background on this vulnerability:

The /event/{eventId} and /room/{roomId}/event/{eventId} client-server endpoints did not correctly validate whether the requester had permission to view the requested event. It was therefore possible for clients to view events that they did not have permission for, given an event id.

@turt2live turt2live mentioned this pull request Oct 26, 2018
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@erikjohnston erikjohnston erikjohnston approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@richvdh @erikjohnston