Missing validation on typing EDUs #13869

squahtx · 2022-09-22T10:37:26Z

When we receive a typing EDU from a remote homeserver, we neglect to check that said homeserver is in the room the typing EDU is for.

There was a check that looked like it was doing the job, except it was really checking that the local homeserver is in the room a second time:

synapse/synapse/handlers/typing.py

Lines 365 to 369 in 1a209ef

    
           domains = await self._storage_controllers.state.get_current_hosts_in_room( 
        
               room_id 
        
           ) 
        
           if self.server_name in domains:

related: #11456

squahtx added A-Federation S-Tolerable Minor significance, cosmetic issues, low or no impact to users. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. O-Uncommon Most users are unlikely to come across this or unexpected workflow labels Sep 22, 2022

squahtx mentioned this issue Sep 22, 2022

typing: check origin server of typing event against room's servers #13830

Merged

4 tasks

MatMaul closed this as completed in #13830 Sep 26, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Missing validation on typing EDUs #13869

Missing validation on typing EDUs #13869

squahtx commented Sep 22, 2022

Missing validation on typing EDUs #13869

Missing validation on typing EDUs #13869

Comments

squahtx commented Sep 22, 2022