Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Merge pull request from GHSA-mp92-3jfm-3575
Browse files Browse the repository at this point in the history
  • Loading branch information
clokep authored and erikjohnston committed Oct 31, 2023
1 parent 79f48b2 commit daec55e
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 1 deletion.
8 changes: 7 additions & 1 deletion synapse/federation/federation_server.py
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@
from synapse.storage.databases.main.lock import Lock
from synapse.storage.databases.main.roommember import extract_heroes_from_room_summary
from synapse.storage.roommember import MemberSummary
from synapse.types import JsonDict, StateMap, get_domain_from_id
from synapse.types import JsonDict, StateMap, get_domain_from_id, UserID
from synapse.util import unwrapFirstError
from synapse.util.async_helpers import Linearizer, concurrently_execute, gather_results
from synapse.util.caches.response_cache import ResponseCache
Expand Down Expand Up @@ -999,6 +999,12 @@ async def on_query_user_devices(
async def on_claim_client_keys(
self, query: List[Tuple[str, str, str, int]], always_include_fallback_keys: bool
) -> Dict[str, Any]:
if any(
not self.hs.is_mine(UserID.from_string(user_id))
for user_id, _, _, _ in query
):
raise SynapseError(400, "User is not hosted on this homeserver")

log_kv({"message": "Claiming one time keys.", "user, device pairs": query})
results = await self._e2e_keys_handler.claim_local_one_time_keys(
query, always_include_fallback_keys=always_include_fallback_keys
Expand Down
3 changes: 3 additions & 0 deletions synapse/handlers/device.py
Original file line number Diff line number Diff line change
Expand Up @@ -328,6 +328,9 @@ async def get_user_ids_changed(
return result

async def on_federation_query_user_devices(self, user_id: str) -> JsonDict:
if not self.hs.is_mine(UserID.from_string(user_id)):
raise SynapseError(400, "User is not hosted on this homeserver")

stream_id, devices = await self.store.get_e2e_device_keys_for_federation_query(
user_id
)
Expand Down
6 changes: 6 additions & 0 deletions synapse/handlers/e2e_keys.py
Original file line number Diff line number Diff line change
Expand Up @@ -542,6 +542,12 @@ async def on_federation_query_client_keys(
device_keys_query: Dict[str, Optional[List[str]]] = query_body.get(
"device_keys", {}
)
if any(
not self.is_mine(UserID.from_string(user_id))
for user_id in device_keys_query
):
raise SynapseError(400, "User is not hosted on this homeserver")

res = await self.query_local_devices(
device_keys_query,
include_displaynames=(
Expand Down

0 comments on commit daec55e

Please sign in to comment.