Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users that knock on a room with a shared history visibility and are subsequently kicked are able to view all previous events #13968

Open
matrixbot opened this issue Dec 20, 2023 · 0 comments
Open

Users that knock on a room with a shared history visibility and are subsequently kicked are able to view all previous events #13968

matrixbot opened this issue Dec 20, 2023 · 0 comments
Labels
A-Messages-Endpoint O-Uncommon S-Major Security T-Defect

Comments

@matrixbot
Copy link
Collaborator

matrixbot commented Dec 20, 2023
edited
Loading

This issue has been migrated from #13968.

Description

I created a room (room version 10) as a test user with the following initial state:

  • history_visibility: shared
  • join_rule: knock

I'm observing that if another user knocks on the room and that admin test user kicks them, the kicked user is still able to fetch all of the previous events of the room using the /_matrix/client/v3/rooms/{roomId}/messages GET endpoint.

This seems like unexpected behaviour to me and a major risk to the privacy/confidentiality of the users in the room.

The Client-Server API Spec mentions this for shared room history visibility:

"Previous events are always accessible to newly joined members. All events in the room are accessible, even those sent when the member was not a part of the room."

I have a feeling that room members with membership set as knock are mistakenly being considered as newly joined members in this case.

Steps to reproduce

  • the following steps refer to user 1 (room creator and admin) and user 2 (knocker)
  • create a room as user 1 with the following properties:
    • history_visibility: shared
    • join_rule: knock
    • room_version: 10
  • send a few test messages as user 1 in the room
  • knock on the room as user 2
  • kick user 2 as user 1
  • access previous events in the room as user 2 using the /_matrix/client/v3/rooms/{roomId}/messages GET endpoint
  • observe that the test messages sent as user 1 are accessible through this endpoint by user 2

Homeserver

Local test homeserver

Synapse Version

1.68.0

Installation Method

Docker (matrixdotorg/synapse)

Platform

Official Docker image running in a container on Manjaro Linux

Relevant log output

[Edit 2022-09-30 11:41 UTC by dmr: redacted logs which contained sensitive information.]

Anything else that would be useful to know?

No response
@matrixbot matrixbot changed the title Dummy issue Users that knock on a room with a shared history visibility and are subsequently kicked are able to view all previous events Dec 21, 2023
@matrixbot matrixbot reopened this Dec 21, 2023
@richvdh richvdh mentioned this issue Jun 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-Messages-Endpoint O-Uncommon S-Major Security T-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@matrixbot