Parse the ID given to /invite|ban|kick to make sure it looks like a user ID.

2024-07-03 04:43:30 +00:00 · 2015-07-20 13:55:19 +01:00 · 2015-07-20 13:55:19 +01:00 · b6ee0585bd
parent 4f973eb657
commit b6ee0585bd
1 changed files with 2 additions and 0 deletions
--- a/synapse/rest/client/v1/room.py
+++ b/synapse/rest/client/v1/room.py
@ -412,6 +412,8 @@ class RoomMembershipRestServlet(ClientV1RestServlet):
            if "user_id" not in content:
                raise SynapseError(400, "Missing user_id key.")
            state_key = content["user_id"]
+            # make sure it looks like a user ID; it'll throw if it's invalid.
+            UserID.from_string(state_key);

            if membership_action == "kick":
                membership_action = "leave"