Disallow capital letters in userids

Factor out a common function for checking user ids and group ids, which forbids
capitals.
This commit is contained in:
Richard van der Hoff 2017-10-20 23:37:22 +01:00
parent b4a6b7f720
commit 58fbbe0f1d
3 changed files with 26 additions and 17 deletions

View file

@ -13,14 +13,12 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
from twisted.internet import defer
from synapse.api.errors import SynapseError
from synapse.types import UserID, get_domain_from_id, RoomID, GroupID
import logging import logging
import urllib
from synapse import types
from synapse.api.errors import SynapseError
from synapse.types import GroupID, RoomID, UserID, get_domain_from_id
from twisted.internet import defer
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -793,10 +791,7 @@ def _validate_group_id(group_id):
""" """
localpart = GroupID.from_string(group_id).localpart localpart = GroupID.from_string(group_id).localpart
if localpart.lower() != localpart: if types.contains_invalid_mxid_characters(localpart):
raise SynapseError(400, "Group ID must be lower case")
if urllib.quote(localpart.encode('utf-8')) != localpart:
raise SynapseError( raise SynapseError(
400, 400,
"Group ID can only contain characters a-z, 0-9, or '_-./'", "Group ID can only contain characters a-z, 0-9, or '_-./'",

View file

@ -15,7 +15,6 @@
"""Contains functions for registering clients.""" """Contains functions for registering clients."""
import logging import logging
import urllib
from twisted.internet import defer from twisted.internet import defer
@ -23,6 +22,7 @@ from synapse.api.errors import (
AuthError, Codes, SynapseError, RegistrationError, InvalidCaptchaError AuthError, Codes, SynapseError, RegistrationError, InvalidCaptchaError
) )
from synapse.http.client import CaptchaServerHttpClient from synapse.http.client import CaptchaServerHttpClient
from synapse import types
from synapse.types import UserID from synapse.types import UserID
from synapse.util.async import run_on_reactor from synapse.util.async import run_on_reactor
from ._base import BaseHandler from ._base import BaseHandler
@ -46,9 +46,7 @@ class RegistrationHandler(BaseHandler):
@defer.inlineCallbacks @defer.inlineCallbacks
def check_username(self, localpart, guest_access_token=None, def check_username(self, localpart, guest_access_token=None,
assigned_user_id=None): assigned_user_id=None):
yield run_on_reactor() if types.contains_invalid_mxid_characters(localpart):
if urllib.quote(localpart.encode('utf-8')) != localpart:
raise SynapseError( raise SynapseError(
400, 400,
"User ID can only contain characters a-z, 0-9, or '_-./'", "User ID can only contain characters a-z, 0-9, or '_-./'",
@ -81,7 +79,7 @@ class RegistrationHandler(BaseHandler):
"A different user ID has already been registered for this session", "A different user ID has already been registered for this session",
) )
yield self.check_user_id_not_appservice_exclusive(user_id) self.check_user_id_not_appservice_exclusive(user_id)
users = yield self.store.get_users_by_id_case_insensitive(user_id) users = yield self.store.get_users_by_id_case_insensitive(user_id)
if users: if users:
@ -254,7 +252,7 @@ class RegistrationHandler(BaseHandler):
""" """
Registers email_id as SAML2 Based Auth. Registers email_id as SAML2 Based Auth.
""" """
if urllib.quote(localpart) != localpart: if types.contains_invalid_mxid_characters(localpart):
raise SynapseError( raise SynapseError(
400, 400,
"User ID must only contain characters which do not" "User ID must only contain characters which do not"

View file

@ -12,6 +12,7 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
import string
from synapse.api.errors import SynapseError from synapse.api.errors import SynapseError
@ -161,6 +162,21 @@ class GroupID(DomainSpecificString):
SIGIL = "+" SIGIL = "+"
mxid_localpart_allowed_characters = set("_-./" + string.ascii_lowercase + string.digits)
def contains_invalid_mxid_characters(localpart):
"""Check for characters not allowed in an mxid or groupid localpart
Args:
localpart (basestring): the localpart to be checked
Returns:
bool: True if there are any naughty characters
"""
return any(c not in mxid_localpart_allowed_characters for c in localpart)
class StreamToken( class StreamToken(
namedtuple("Token", ( namedtuple("Token", (
"room_key", "room_key",