forked from MirrorHub/synapse
Merge branch 'master' into develop
This commit is contained in:
commit
5d9e7e0c71
8 changed files with 214 additions and 7 deletions
31
CHANGES.md
31
CHANGES.md
|
@ -1,5 +1,36 @@
|
|||
Users will stop receiving message updates via email for addresses that were previously linked to their account
|
||||
|
||||
Synapse 1.41.1 (2021-08-31)
|
||||
===========================
|
||||
|
||||
Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.
|
||||
|
||||
Security advisory
|
||||
-----------------
|
||||
|
||||
The following issues are fixed in v1.41.1.
|
||||
|
||||
- **[GHSA-3x4c-pq33-4w3q](https://github.com/matrix-org/synapse/security/advisories/GHSA-3x4c-pq33-4w3q) / [CVE-2021-39164](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39164): Enumerating a private room's list of members and their display names.**
|
||||
|
||||
If an unauthorized user both knows the Room ID of a private room *and* that room's history visibility is set to `shared`, then they may be able to enumerate the room's members, including their display names.
|
||||
|
||||
The unauthorized user must be on the same homeserver as a user who is a member of the target room.
|
||||
|
||||
Fixed by [52c7a51cf](https://github.com/matrix-org/synapse/commit/52c7a51cf).
|
||||
|
||||
- **[GHSA-jj53-8fmw-f2w2](https://github.com/matrix-org/synapse/security/advisories/GHSA-jj53-8fmw-f2w2) / [CVE-2021-39163](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39163): Disclosing a private room's name, avatar, topic, and number of members.**
|
||||
|
||||
If an unauthorized user knows the Room ID of a private room, then its name, avatar, topic, and number of members may be disclosed through Group / Community features.
|
||||
|
||||
The unauthorized user must be on the same homeserver as a user who is a member of the target room, and their homeserver must allow non-administrators to create groups (`enable_group_creation` in the Synapse configuration; off by default).
|
||||
|
||||
Fixed by [cb35df940a](https://github.com/matrix-org/synapse/commit/cb35df940a), [\#10723](https://github.com/matrix-org/synapse/issues/10723).
|
||||
|
||||
Bugfixes
|
||||
--------
|
||||
|
||||
- Fix a regression introduced in Synapse 1.41 which broke email transmission on systems using older versions of the Twisted library. ([\#10713](https://github.com/matrix-org/synapse/issues/10713))
|
||||
|
||||
Synapse 1.41.0 (2021-08-24)
|
||||
===========================
|
||||
|
||||
|
|
1
changelog.d/10723.bugfix
Normal file
1
changelog.d/10723.bugfix
Normal file
|
@ -0,0 +1 @@
|
|||
Fix unauthorised exposure of room metadata to communities.
|
6
debian/changelog
vendored
6
debian/changelog
vendored
|
@ -1,3 +1,9 @@
|
|||
matrix-synapse-py3 (1.41.1) stable; urgency=high
|
||||
|
||||
* New synapse release 1.41.1.
|
||||
|
||||
-- Synapse Packaging team <packages@matrix.org> Tue, 31 Aug 2021 12:59:10 +0100
|
||||
|
||||
matrix-synapse-py3 (1.41.0) stable; urgency=medium
|
||||
|
||||
* New synapse release 1.41.0.
|
||||
|
|
|
@ -47,7 +47,7 @@ try:
|
|||
except ImportError:
|
||||
pass
|
||||
|
||||
__version__ = "1.41.0"
|
||||
__version__ = "1.41.1"
|
||||
|
||||
if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)):
|
||||
# We import here so that we don't have to install a bunch of deps when
|
||||
|
|
|
@ -332,6 +332,13 @@ class GroupsServerWorkerHandler:
|
|||
requester_user_id, group_id
|
||||
)
|
||||
|
||||
# Note! room_results["is_public"] is about whether the room is considered
|
||||
# public from the group's point of view. (i.e. whether non-group members
|
||||
# should be able to see the room is in the group).
|
||||
# This is not the same as whether the room itself is public (in the sense
|
||||
# of being visible in the room directory).
|
||||
# As such, room_results["is_public"] itself is not sufficient to determine
|
||||
# whether any given user is permitted to see the room's metadata.
|
||||
room_results = await self.store.get_rooms_in_group(
|
||||
group_id, include_private=is_user_in_group
|
||||
)
|
||||
|
@ -341,8 +348,15 @@ class GroupsServerWorkerHandler:
|
|||
room_id = room_result["room_id"]
|
||||
|
||||
joined_users = await self.store.get_users_in_room(room_id)
|
||||
|
||||
# check the user is actually allowed to see the room before showing it to them
|
||||
allow_private = requester_user_id in joined_users
|
||||
|
||||
entry = await self.room_list_handler.generate_room_entry(
|
||||
room_id, len(joined_users), with_alias=False, allow_private=True
|
||||
room_id,
|
||||
len(joined_users),
|
||||
with_alias=False,
|
||||
allow_private=allow_private,
|
||||
)
|
||||
|
||||
if not entry:
|
||||
|
@ -354,7 +368,7 @@ class GroupsServerWorkerHandler:
|
|||
|
||||
chunk.sort(key=lambda e: -e["num_joined_members"])
|
||||
|
||||
return {"chunk": chunk, "total_room_count_estimate": len(room_results)}
|
||||
return {"chunk": chunk, "total_room_count_estimate": len(chunk)}
|
||||
|
||||
|
||||
class GroupsServerHandler(GroupsServerWorkerHandler):
|
||||
|
|
|
@ -183,20 +183,37 @@ class MessageHandler:
|
|||
|
||||
if not last_events:
|
||||
raise NotFoundError("Can't find event for token %s" % (at_token,))
|
||||
last_event = last_events[0]
|
||||
|
||||
# check whether the user is in the room at that time to determine
|
||||
# whether they should be treated as peeking.
|
||||
state_map = await self.state_store.get_state_for_event(
|
||||
last_event.event_id,
|
||||
StateFilter.from_types([(EventTypes.Member, user_id)]),
|
||||
)
|
||||
|
||||
joined = False
|
||||
membership_event = state_map.get((EventTypes.Member, user_id))
|
||||
if membership_event:
|
||||
joined = membership_event.membership == Membership.JOIN
|
||||
|
||||
is_peeking = not joined
|
||||
|
||||
visible_events = await filter_events_for_client(
|
||||
self.storage,
|
||||
user_id,
|
||||
last_events,
|
||||
filter_send_to_client=False,
|
||||
is_peeking=is_peeking,
|
||||
)
|
||||
|
||||
event = last_events[0]
|
||||
if visible_events:
|
||||
room_state_events = await self.state_store.get_state_for_events(
|
||||
[event.event_id], state_filter=state_filter
|
||||
[last_event.event_id], state_filter=state_filter
|
||||
)
|
||||
room_state: Mapping[Any, EventBase] = room_state_events[event.event_id]
|
||||
room_state: Mapping[Any, EventBase] = room_state_events[
|
||||
last_event.event_id
|
||||
]
|
||||
else:
|
||||
raise AuthError(
|
||||
403,
|
||||
|
|
56
tests/rest/client/test_groups.py
Normal file
56
tests/rest/client/test_groups.py
Normal file
|
@ -0,0 +1,56 @@
|
|||
# Copyright 2021 The Matrix.org Foundation C.I.C.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
from synapse.rest.client import groups, room
|
||||
|
||||
from tests import unittest
|
||||
from tests.unittest import override_config
|
||||
|
||||
|
||||
class GroupsTestCase(unittest.HomeserverTestCase):
|
||||
user_id = "@alice:test"
|
||||
room_creator_user_id = "@bob:test"
|
||||
|
||||
servlets = [room.register_servlets, groups.register_servlets]
|
||||
|
||||
@override_config({"enable_group_creation": True})
|
||||
def test_rooms_limited_by_visibility(self):
|
||||
group_id = "+spqr:test"
|
||||
|
||||
# Alice creates a group
|
||||
channel = self.make_request("POST", "/create_group", {"localpart": "spqr"})
|
||||
self.assertEquals(channel.code, 200, msg=channel.text_body)
|
||||
self.assertEquals(channel.json_body, {"group_id": group_id})
|
||||
|
||||
# Bob creates a private room
|
||||
room_id = self.helper.create_room_as(self.room_creator_user_id, is_public=False)
|
||||
self.helper.auth_user_id = self.room_creator_user_id
|
||||
self.helper.send_state(
|
||||
room_id, "m.room.name", {"name": "bob's secret room"}, tok=None
|
||||
)
|
||||
self.helper.auth_user_id = self.user_id
|
||||
|
||||
# Alice adds the room to her group.
|
||||
channel = self.make_request(
|
||||
"PUT", f"/groups/{group_id}/admin/rooms/{room_id}", {}
|
||||
)
|
||||
self.assertEquals(channel.code, 200, msg=channel.text_body)
|
||||
self.assertEquals(channel.json_body, {})
|
||||
|
||||
# Alice now tries to retrieve the room list of the space.
|
||||
channel = self.make_request("GET", f"/groups/{group_id}/rooms")
|
||||
self.assertEquals(channel.code, 200, msg=channel.text_body)
|
||||
self.assertEquals(
|
||||
channel.json_body, {"chunk": [], "total_room_count_estimate": 0}
|
||||
)
|
|
@ -29,7 +29,7 @@ from synapse.api.constants import EventContentFields, EventTypes, Membership
|
|||
from synapse.api.errors import HttpResponseException
|
||||
from synapse.handlers.pagination import PurgeStatus
|
||||
from synapse.rest import admin
|
||||
from synapse.rest.client import account, directory, login, profile, room
|
||||
from synapse.rest.client import account, directory, login, profile, room, sync
|
||||
from synapse.types import JsonDict, RoomAlias, UserID, create_requester
|
||||
from synapse.util.stringutils import random_string
|
||||
|
||||
|
@ -381,6 +381,8 @@ class RoomPermissionsTestCase(RoomBase):
|
|||
class RoomsMemberListTestCase(RoomBase):
|
||||
"""Tests /rooms/$room_id/members/list REST events."""
|
||||
|
||||
servlets = RoomBase.servlets + [sync.register_servlets]
|
||||
|
||||
user_id = "@sid1:red"
|
||||
|
||||
def test_get_member_list(self):
|
||||
|
@ -397,6 +399,86 @@ class RoomsMemberListTestCase(RoomBase):
|
|||
channel = self.make_request("GET", "/rooms/%s/members" % room_id)
|
||||
self.assertEquals(403, channel.code, msg=channel.result["body"])
|
||||
|
||||
def test_get_member_list_no_permission_with_at_token(self):
|
||||
"""
|
||||
Tests that a stranger to the room cannot get the member list
|
||||
(in the case that they use an at token).
|
||||
"""
|
||||
room_id = self.helper.create_room_as("@someone.else:red")
|
||||
|
||||
# first sync to get an at token
|
||||
channel = self.make_request("GET", "/sync")
|
||||
self.assertEquals(200, channel.code)
|
||||
sync_token = channel.json_body["next_batch"]
|
||||
|
||||
# check that permission is denied for @sid1:red to get the
|
||||
# memberships of @someone.else:red's room.
|
||||
channel = self.make_request(
|
||||
"GET",
|
||||
f"/rooms/{room_id}/members?at={sync_token}",
|
||||
)
|
||||
self.assertEquals(403, channel.code, msg=channel.result["body"])
|
||||
|
||||
def test_get_member_list_no_permission_former_member(self):
|
||||
"""
|
||||
Tests that a former member of the room can not get the member list.
|
||||
"""
|
||||
# create a room, invite the user and the user joins
|
||||
room_id = self.helper.create_room_as("@alice:red")
|
||||
self.helper.invite(room_id, "@alice:red", self.user_id)
|
||||
self.helper.join(room_id, self.user_id)
|
||||
|
||||
# check that the user can see the member list to start with
|
||||
channel = self.make_request("GET", "/rooms/%s/members" % room_id)
|
||||
self.assertEquals(200, channel.code, msg=channel.result["body"])
|
||||
|
||||
# ban the user
|
||||
self.helper.change_membership(room_id, "@alice:red", self.user_id, "ban")
|
||||
|
||||
# check the user can no longer see the member list
|
||||
channel = self.make_request("GET", "/rooms/%s/members" % room_id)
|
||||
self.assertEquals(403, channel.code, msg=channel.result["body"])
|
||||
|
||||
def test_get_member_list_no_permission_former_member_with_at_token(self):
|
||||
"""
|
||||
Tests that a former member of the room can not get the member list
|
||||
(in the case that they use an at token).
|
||||
"""
|
||||
# create a room, invite the user and the user joins
|
||||
room_id = self.helper.create_room_as("@alice:red")
|
||||
self.helper.invite(room_id, "@alice:red", self.user_id)
|
||||
self.helper.join(room_id, self.user_id)
|
||||
|
||||
# sync to get an at token
|
||||
channel = self.make_request("GET", "/sync")
|
||||
self.assertEquals(200, channel.code)
|
||||
sync_token = channel.json_body["next_batch"]
|
||||
|
||||
# check that the user can see the member list to start with
|
||||
channel = self.make_request(
|
||||
"GET", "/rooms/%s/members?at=%s" % (room_id, sync_token)
|
||||
)
|
||||
self.assertEquals(200, channel.code, msg=channel.result["body"])
|
||||
|
||||
# ban the user (Note: the user is actually allowed to see this event and
|
||||
# state so that they know they're banned!)
|
||||
self.helper.change_membership(room_id, "@alice:red", self.user_id, "ban")
|
||||
|
||||
# invite a third user and let them join
|
||||
self.helper.invite(room_id, "@alice:red", "@bob:red")
|
||||
self.helper.join(room_id, "@bob:red")
|
||||
|
||||
# now, with the original user, sync again to get a new at token
|
||||
channel = self.make_request("GET", "/sync")
|
||||
self.assertEquals(200, channel.code)
|
||||
sync_token = channel.json_body["next_batch"]
|
||||
|
||||
# check the user can no longer see the updated member list
|
||||
channel = self.make_request(
|
||||
"GET", "/rooms/%s/members?at=%s" % (room_id, sync_token)
|
||||
)
|
||||
self.assertEquals(403, channel.code, msg=channel.result["body"])
|
||||
|
||||
def test_get_member_list_mixed_memberships(self):
|
||||
room_creator = "@some_other_guy:red"
|
||||
room_id = self.helper.create_room_as(room_creator)
|
||||
|
|
Loading…
Reference in a new issue