From 3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
Date: Thu, 19 Nov 2020 10:05:33 +0000
Subject: [PATCH 1/3] Consistently use room_id from federation request body
(#8776)
* Consistently use room_id from federation request body
Some federation APIs have a redundant `room_id` path param (see
https://github.com/matrix-org/matrix-doc/issues/2330). We should make sure we
consistently use either the path param or the body param, and the body param is
easier.
* Kill off some references to "context"
Once upon a time, "rooms" were known as "contexts". I think this kills of the
last references to "contexts".
---
changelog.d/8776.bugfix | 1 +
synapse/federation/federation_server.py | 23 ++++-----
synapse/federation/transport/server.py | 68 ++++++++++++-------------
synapse/handlers/federation.py | 10 ++--
tests/handlers/test_federation.py | 1 -
5 files changed, 49 insertions(+), 54 deletions(-)
create mode 100644 changelog.d/8776.bugfix
diff --git a/changelog.d/8776.bugfix b/changelog.d/8776.bugfix
new file mode 100644
index 000000000..dd7ebbeb8
--- /dev/null
+++ b/changelog.d/8776.bugfix
@@ -0,0 +1 @@
+Fix a bug in some federation APIs which could lead to unexpected behaviour if different parameters were set in the URI and the request body.
diff --git a/synapse/federation/federation_server.py b/synapse/federation/federation_server.py
index 23278e36b..4b6ab470d 100644
--- a/synapse/federation/federation_server.py
+++ b/synapse/federation/federation_server.py
@@ -49,6 +49,7 @@ from synapse.federation.federation_base import FederationBase, event_from_pdu_js
from synapse.federation.persistence import TransactionActions
from synapse.federation.units import Edu, Transaction
from synapse.http.endpoint import parse_server_name
+from synapse.http.servlet import assert_params_in_dict
from synapse.logging.context import (
make_deferred_yieldable,
nested_logging_context,
@@ -391,7 +392,7 @@ class FederationServer(FederationBase):
TRANSACTION_CONCURRENCY_LIMIT,
)
- async def on_context_state_request(
+ async def on_room_state_request(
self, origin: str, room_id: str, event_id: str
) -> Tuple[int, Dict[str, Any]]:
origin_host, _ = parse_server_name(origin)
@@ -514,11 +515,12 @@ class FederationServer(FederationBase):
return {"event": ret_pdu.get_pdu_json(time_now)}
async def on_send_join_request(
- self, origin: str, content: JsonDict, room_id: str
+ self, origin: str, content: JsonDict
) -> Dict[str, Any]:
logger.debug("on_send_join_request: content: %s", content)
- room_version = await self.store.get_room_version(room_id)
+ assert_params_in_dict(content, ["room_id"])
+ room_version = await self.store.get_room_version(content["room_id"])
pdu = event_from_pdu_json(content, room_version)
origin_host, _ = parse_server_name(origin)
@@ -547,12 +549,11 @@ class FederationServer(FederationBase):
time_now = self._clock.time_msec()
return {"event": pdu.get_pdu_json(time_now), "room_version": room_version}
- async def on_send_leave_request(
- self, origin: str, content: JsonDict, room_id: str
- ) -> dict:
+ async def on_send_leave_request(self, origin: str, content: JsonDict) -> dict:
logger.debug("on_send_leave_request: content: %s", content)
- room_version = await self.store.get_room_version(room_id)
+ assert_params_in_dict(content, ["room_id"])
+ room_version = await self.store.get_room_version(content["room_id"])
pdu = event_from_pdu_json(content, room_version)
origin_host, _ = parse_server_name(origin)
@@ -748,12 +749,8 @@ class FederationServer(FederationBase):
)
return ret
- async def on_exchange_third_party_invite_request(
- self, room_id: str, event_dict: Dict
- ):
- ret = await self.handler.on_exchange_third_party_invite_request(
- room_id, event_dict
- )
+ async def on_exchange_third_party_invite_request(self, event_dict: Dict):
+ ret = await self.handler.on_exchange_third_party_invite_request(event_dict)
return ret
async def check_server_matches_acl(self, server_name: str, room_id: str):
diff --git a/synapse/federation/transport/server.py b/synapse/federation/transport/server.py
index a0933fae8..b53e7a20e 100644
--- a/synapse/federation/transport/server.py
+++ b/synapse/federation/transport/server.py
@@ -440,13 +440,13 @@ class FederationEventServlet(BaseFederationServlet):
class FederationStateV1Servlet(BaseFederationServlet):
- PATH = "/state/(?P<context>[^/]*)/?"
+ PATH = "/state/(?P<room_id>[^/]*)/?"
- # This is when someone asks for all data for a given context.
- async def on_GET(self, origin, content, query, context):
- return await self.handler.on_context_state_request(
+ # This is when someone asks for all data for a given room.
+ async def on_GET(self, origin, content, query, room_id):
+ return await self.handler.on_room_state_request(
origin,
- context,
+ room_id,
parse_string_from_args(query, "event_id", None, required=False),
)
@@ -463,16 +463,16 @@ class FederationStateIdsServlet(BaseFederationServlet):
class FederationBackfillServlet(BaseFederationServlet):
- PATH = "/backfill/(?P<context>[^/]*)/?"
+ PATH = "/backfill/(?P<room_id>[^/]*)/?"
- async def on_GET(self, origin, content, query, context):
+ async def on_GET(self, origin, content, query, room_id):
versions = [x.decode("ascii") for x in query[b"v"]]
limit = parse_integer_from_args(query, "limit", None)
if not limit:
return 400, {"error": "Did not include limit param"}
- return await self.handler.on_backfill_request(origin, context, versions, limit)
+ return await self.handler.on_backfill_request(origin, room_id, versions, limit)
class FederationQueryServlet(BaseFederationServlet):
@@ -487,9 +487,9 @@ class FederationQueryServlet(BaseFederationServlet):
class FederationMakeJoinServlet(BaseFederationServlet):
- PATH = "/make_join/(?P<context>[^/]*)/(?P<user_id>[^/]*)"
+ PATH = "/make_join/(?P<room_id>[^/]*)/(?P<user_id>[^/]*)"
- async def on_GET(self, origin, _content, query, context, user_id):
+ async def on_GET(self, origin, _content, query, room_id, user_id):
"""
Args:
origin (unicode): The authenticated server_name of the calling server
@@ -511,16 +511,16 @@ class FederationMakeJoinServlet(BaseFederationServlet):
supported_versions = ["1"]
content = await self.handler.on_make_join_request(
- origin, context, user_id, supported_versions=supported_versions
+ origin, room_id, user_id, supported_versions=supported_versions
)
return 200, content
class FederationMakeLeaveServlet(BaseFederationServlet):
- PATH = "/make_leave/(?P<context>[^/]*)/(?P<user_id>[^/]*)"
+ PATH = "/make_leave/(?P<room_id>[^/]*)/(?P<user_id>[^/]*)"
- async def on_GET(self, origin, content, query, context, user_id):
- content = await self.handler.on_make_leave_request(origin, context, user_id)
+ async def on_GET(self, origin, content, query, room_id, user_id):
+ content = await self.handler.on_make_leave_request(origin, room_id, user_id)
return 200, content
@@ -528,7 +528,7 @@ class FederationV1SendLeaveServlet(BaseFederationServlet):
PATH = "/send_leave/(?P<room_id>[^/]*)/(?P<event_id>[^/]*)"
async def on_PUT(self, origin, content, query, room_id, event_id):
- content = await self.handler.on_send_leave_request(origin, content, room_id)
+ content = await self.handler.on_send_leave_request(origin, content)
return 200, (200, content)
@@ -538,43 +538,43 @@ class FederationV2SendLeaveServlet(BaseFederationServlet):
PREFIX = FEDERATION_V2_PREFIX
async def on_PUT(self, origin, content, query, room_id, event_id):
- content = await self.handler.on_send_leave_request(origin, content, room_id)
+ content = await self.handler.on_send_leave_request(origin, content)
return 200, content
class FederationEventAuthServlet(BaseFederationServlet):
- PATH = "/event_auth/(?P<context>[^/]*)/(?P<event_id>[^/]*)"
+ PATH = "/event_auth/(?P<room_id>[^/]*)/(?P<event_id>[^/]*)"
- async def on_GET(self, origin, content, query, context, event_id):
- return await self.handler.on_event_auth(origin, context, event_id)
+ async def on_GET(self, origin, content, query, room_id, event_id):
+ return await self.handler.on_event_auth(origin, room_id, event_id)
class FederationV1SendJoinServlet(BaseFederationServlet):
- PATH = "/send_join/(?P<context>[^/]*)/(?P<event_id>[^/]*)"
+ PATH = "/send_join/(?P<room_id>[^/]*)/(?P<event_id>[^/]*)"
- async def on_PUT(self, origin, content, query, context, event_id):
- # TODO(paul): assert that context/event_id parsed from path actually
+ async def on_PUT(self, origin, content, query, room_id, event_id):
+ # TODO(paul): assert that room_id/event_id parsed from path actually
# match those given in content
- content = await self.handler.on_send_join_request(origin, content, context)
+ content = await self.handler.on_send_join_request(origin, content)
return 200, (200, content)
class FederationV2SendJoinServlet(BaseFederationServlet):
- PATH = "/send_join/(?P<context>[^/]*)/(?P<event_id>[^/]*)"
+ PATH = "/send_join/(?P<room_id>[^/]*)/(?P<event_id>[^/]*)"
PREFIX = FEDERATION_V2_PREFIX
- async def on_PUT(self, origin, content, query, context, event_id):
- # TODO(paul): assert that context/event_id parsed from path actually
+ async def on_PUT(self, origin, content, query, room_id, event_id):
+ # TODO(paul): assert that room_id/event_id parsed from path actually
# match those given in content
- content = await self.handler.on_send_join_request(origin, content, context)
+ content = await self.handler.on_send_join_request(origin, content)
return 200, content
class FederationV1InviteServlet(BaseFederationServlet):
- PATH = "/invite/(?P<context>[^/]*)/(?P<event_id>[^/]*)"
+ PATH = "/invite/(?P<room_id>[^/]*)/(?P<event_id>[^/]*)"
- async def on_PUT(self, origin, content, query, context, event_id):
+ async def on_PUT(self, origin, content, query, room_id, event_id):
# We don't get a room version, so we have to assume its EITHER v1 or
# v2. This is "fine" as the only difference between V1 and V2 is the
# state resolution algorithm, and we don't use that for processing
@@ -589,12 +589,12 @@ class FederationV1InviteServlet(BaseFederationServlet):
class FederationV2InviteServlet(BaseFederationServlet):
- PATH = "/invite/(?P<context>[^/]*)/(?P<event_id>[^/]*)"
+ PATH = "/invite/(?P<room_id>[^/]*)/(?P<event_id>[^/]*)"
PREFIX = FEDERATION_V2_PREFIX
- async def on_PUT(self, origin, content, query, context, event_id):
- # TODO(paul): assert that context/event_id parsed from path actually
+ async def on_PUT(self, origin, content, query, room_id, event_id):
+ # TODO(paul): assert that room_id/event_id parsed from path actually
# match those given in content
room_version = content["room_version"]
@@ -616,9 +616,7 @@ class FederationThirdPartyInviteExchangeServlet(BaseFederationServlet):
PATH = "/exchange_third_party_invite/(?P<room_id>[^/]*)"
async def on_PUT(self, origin, content, query, room_id):
- content = await self.handler.on_exchange_third_party_invite_request(
- room_id, content
- )
+ content = await self.handler.on_exchange_third_party_invite_request(content)
return 200, content
diff --git a/synapse/handlers/federation.py b/synapse/handlers/federation.py
index c38695770..e03caea25 100644
--- a/synapse/handlers/federation.py
+++ b/synapse/handlers/federation.py
@@ -55,6 +55,7 @@ from synapse.events import EventBase
from synapse.events.snapshot import EventContext
from synapse.events.validator import EventValidator
from synapse.handlers._base import BaseHandler
+from synapse.http.servlet import assert_params_in_dict
from synapse.logging.context import (
make_deferred_yieldable,
nested_logging_context,
@@ -2686,7 +2687,7 @@ class FederationHandler(BaseHandler):
)
async def on_exchange_third_party_invite_request(
- self, room_id: str, event_dict: JsonDict
+ self, event_dict: JsonDict
) -> None:
"""Handle an exchange_third_party_invite request from a remote server
@@ -2694,12 +2695,11 @@ class FederationHandler(BaseHandler):
into a normal m.room.member invite.
Args:
- room_id: The ID of the room.
-
- event_dict (dict[str, Any]): Dictionary containing the event body.
+ event_dict: Dictionary containing the event body.
"""
- room_version = await self.store.get_room_version_id(room_id)
+ assert_params_in_dict(event_dict, ["room_id"])
+ room_version = await self.store.get_room_version_id(event_dict["room_id"])
# NB: event_dict has a particular specced format we might need to fudge
# if we change event formats too much.
diff --git a/tests/handlers/test_federation.py b/tests/handlers/test_federation.py
index 9ef80fe50..bf866dacf 100644
--- a/tests/handlers/test_federation.py
+++ b/tests/handlers/test_federation.py
@@ -59,7 +59,6 @@ class FederationTestCase(unittest.HomeserverTestCase):
)
d = self.handler.on_exchange_third_party_invite_request(
- room_id=room_id,
event_dict={
"type": EventTypes.Member,
"room_id": room_id,
From 0eb9b2f86667a059f692d71d5c224c173498bb7b Mon Sep 17 00:00:00 2001
From: Patrick Cloke <clokep@users.noreply.github.com>
Date: Tue, 8 Dec 2020 13:41:25 -0500
Subject: [PATCH 2/3] Fix installing pysaml2 on Python 3.5. (#8898)
This pins pysaml2 to < 6.4.0 on Python 3.5, as the last known working version.
---
changelog.d/8898.misc | 1 +
synapse/python_dependencies.py | 6 +++++-
2 files changed, 6 insertions(+), 1 deletion(-)
create mode 100644 changelog.d/8898.misc
diff --git a/changelog.d/8898.misc b/changelog.d/8898.misc
new file mode 100644
index 000000000..bdb0d40d5
--- /dev/null
+++ b/changelog.d/8898.misc
@@ -0,0 +1 @@
+Add a maximum version for pysaml2 on Python 3.5.
diff --git a/synapse/python_dependencies.py b/synapse/python_dependencies.py
index aab77fc45..040f76bb5 100644
--- a/synapse/python_dependencies.py
+++ b/synapse/python_dependencies.py
@@ -99,7 +99,11 @@ CONDITIONAL_REQUIREMENTS = {
# python 3.5.2, as per https://github.com/itamarst/eliot/issues/418
'eliot<1.8.0;python_version<"3.5.3"',
],
- "saml2": ["pysaml2>=4.5.0"],
+ "saml2": [
+ # pysaml2 6.4.0 is incompatible with Python 3.5 (see https://github.com/IdentityPython/pysaml2/issues/749)
+ "pysaml2>=4.5.0,<6.4.0;python_version<'3.6'",
+ "pysaml2>=4.5.0;python_version>='3.6'",
+ ],
"oidc": ["authlib>=0.14.0"],
"systemd": ["systemd-python>=231"],
"url_preview": ["lxml>=3.5.0"],
From 1cec3d145770b52a7588cdf9df552189da634c5f Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Wed, 9 Dec 2020 10:41:39 +0000
Subject: [PATCH 3/3] 1.23.1
---
CHANGES.md | 52 +++++++++++++++++++++++++++++++++++++++++
changelog.d/8776.bugfix | 1 -
changelog.d/8898.misc | 1 -
debian/changelog | 6 +++++
synapse/__init__.py | 2 +-
5 files changed, 59 insertions(+), 3 deletions(-)
delete mode 100644 changelog.d/8776.bugfix
delete mode 100644 changelog.d/8898.misc
diff --git a/CHANGES.md b/CHANGES.md
index 52b2fd6f8..55f53eb69 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,3 +1,55 @@
+Synapse 1.23.1 (2020-12-09)
+===========================
+
+Due to the two security issues highlighted below, server administrators are
+encouraged to update Synapse. We are not aware of these vulnerabilities being
+exploited in the wild.
+
+Security advisory
+-----------------
+
+The following issues are fixed in v1.23.1 and v1.24.0.
+
+- There is a denial of service attack
+ ([CVE-2020-26257](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26257))
+ against the federation APIs in which future events will not be correctly sent
+ to other servers over federation. This affects all servers that participate in
+ open federation. (Fixed in [#8776](https://github.com/matrix-org/synapse/pull/8776)).
+
+- Synapse may be affected by OpenSSL
+ [CVE-2020-1971](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971).
+ Synapse administrators should ensure that they have the latest versions of
+ the cryptography Python package installed.
+
+To upgrade Synapse along with the cryptography package:
+
+* Administrators using the [`matrix.org` Docker
+ image](https://hub.docker.com/r/matrixdotorg/synapse/) or the [Debian/Ubuntu
+ packages from
+ `matrix.org`](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#matrixorg-packages)
+ should ensure that they have version 1.24.0 or 1.23.1 installed: these images include
+ the updated packages.
+* Administrators who have [installed Synapse from
+ source](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#installing-from-source)
+ should upgrade the cryptography package within their virtualenv by running:
+ ```sh
+ <path_to_virtualenv>/bin/pip install 'cryptography>=3.3'
+ ```
+* Administrators who have installed Synapse from distribution packages should
+ consult the information from their distributions.
+
+Bugfixes
+--------
+
+- Fix a bug in some federation APIs which could lead to unexpected behaviour if different parameters were set in the URI and the request body. ([\#8776](https://github.com/matrix-org/synapse/issues/8776))
+
+
+Internal Changes
+----------------
+
+- Add a maximum version for pysaml2 on Python 3.5. ([\#8898](https://github.com/matrix-org/synapse/issues/8898))
+
+
Synapse 1.23.0 (2020-11-18)
===========================
diff --git a/changelog.d/8776.bugfix b/changelog.d/8776.bugfix
deleted file mode 100644
index dd7ebbeb8..000000000
--- a/changelog.d/8776.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Fix a bug in some federation APIs which could lead to unexpected behaviour if different parameters were set in the URI and the request body.
diff --git a/changelog.d/8898.misc b/changelog.d/8898.misc
deleted file mode 100644
index bdb0d40d5..000000000
--- a/changelog.d/8898.misc
+++ /dev/null
@@ -1 +0,0 @@
-Add a maximum version for pysaml2 on Python 3.5.
diff --git a/debian/changelog b/debian/changelog
index 4ea4feddd..0342fafdd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+matrix-synapse-py3 (1.23.1) stable; urgency=medium
+
+ * New synapse release 1.23.1.
+
+ -- Synapse Packaging team <packages@matrix.org> Wed, 09 Dec 2020 10:40:39 +0000
+
matrix-synapse-py3 (1.23.0) stable; urgency=medium
* New synapse release 1.23.0.
diff --git a/synapse/__init__.py b/synapse/__init__.py
index 65c1f5aa3..c38a8f613 100644
--- a/synapse/__init__.py
+++ b/synapse/__init__.py
@@ -48,7 +48,7 @@ try:
except ImportError:
pass
-__version__ = "1.23.0"
+__version__ = "1.23.1"
if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)):
# We import here so that we don't have to install a bunch of deps when