Matrix/synapse
Matrix/synapse
1
0
Fork 0
mirror of https://github.com/element-hq/synapse synced 2024-07-02 07:43:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Properly forbid setting other users' state

Browse source
This commit is contained in:
Andrew Ferrazzutti 2024-06-27 15:14:13 -04:00
parent 9a9257c2be
commit a949455520
1 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
synapse/event_auth.py
View file

@ -808,12 +808,12 @@ def get_send_level(
def _can_send_event(event: "EventBase", auth_events: StateMap["EventBase"]) -> bool:
power_levels_event = get_power_level_event(auth_events)
uses_owned_state_events = event.room_version is RoomVersions.MSC3779v10
use_msc3779 = event.room_version is RoomVersions.MSC3779v10
send_level = get_send_level(
event.type,
event.get("state_key"),
power_levels_event,
event.user_id if uses_owned_state_events else None,
event.user_id if use_msc3779 else None,
)
user_level = get_user_power_level(event.user_id, auth_events)
@ -827,8 +827,11 @@ def _can_send_event(event: "EventBase", auth_events: StateMap["EventBase"]) -> b
# Check state_key
if hasattr(event, "state_key"):
if not uses_owned_state_events and event.state_key.startswith("@"):
if event.state_key != event.user_id:
if event.state_key.startswith("@"):
if event.state_key != event.user_id and (
not use_msc3779
or not event.state_key.startswith(event.user_id + "_")
):
raise AuthError(403, "You are not allowed to set others state")
return True