Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Synapse does not correctly enforce the spec's regex for client_secret #6766

anoadragon453 opened this issue Jan 22, 2020 · 0 comments


Copy link

@anoadragon453 anoadragon453 commented Jan 22, 2020

The spec states that we should enforce a regex on client_secret. Synapse currently does not do this.

As a result of this, FluffyChat has started sending client_secret parameters that do not comply with the spec: Specifically, it sends client_secret values with : in them.

#6767 is written to allow client_secret to take : values, while otherwise respecting the specification. This will allow older versions of FluffyChat to continue working while a fix in put in place and people upgrade.

Eventually we will remove : from the client_secret regex, and will use this as a tracking issue for that.

@anoadragon453 anoadragon453 self-assigned this Jan 22, 2020
@anoadragon453 anoadragon453 added this to Holding Pen in Homeserver Task Board via automation Jan 22, 2020
@anoadragon453 anoadragon453 moved this from Holding Pen to In progress in Homeserver Task Board Jan 22, 2020
@anoadragon453 anoadragon453 moved this from In progress to Review in Homeserver Task Board Jan 22, 2020
@anoadragon453 anoadragon453 changed the title Synapse does not enforce the spec's regex for client_secret Synapse does not correctly enforce the spec's regex for client_secret Jan 23, 2020
@anoadragon453 anoadragon453 moved this from Review to Holding Pen in Homeserver Task Board Jan 27, 2020
@anoadragon453 anoadragon453 moved this from Holding Pen to To Do in Homeserver Task Board Jan 30, 2020
@anoadragon453 anoadragon453 removed this from To Do in Homeserver Task Board Jan 30, 2020
babolivier added a commit that referenced this issue Feb 12, 2020
Synapse 1.10.0 (2020-02-12)

**WARNING to client developers**: As of this release Synapse validates `client_secret` parameters in the Client-Server API as per the spec. See [\#6766](#6766) for details.

Updates to the Docker image

- Update the docker images to Alpine Linux 3.11. ([\#6897](#6897))

Synapse 1.10.0rc5 (2020-02-11)


- Fix the filtering introduced in 1.10.0rc3 to also apply to the state blocks returned by `/sync`. ([\#6884](#6884))

Synapse 1.10.0rc4 (2020-02-11)

This release candidate was built incorrectly and is superceded by 1.10.0rc5.

Synapse 1.10.0rc3 (2020-02-10)


- Filter out `` from the CS API to mitigate abuse while a better solution is specced. ([\#6878](#6878))

Internal Changes

- Fix continuous integration failures with old versions of `pip`, which were introduced by a release of the `zipp` library. ([\#6880](#6880))

Synapse 1.10.0rc2 (2020-02-06)


- Fix an issue with cross-signing where device signatures were not sent to remote servers. ([\#6844](#6844))
- Fix to the unknown remote device detection which was introduced in 1.10.rc1. ([\#6848](#6848))

Internal Changes

- Detect unexpected sender keys on remote encrypted events and resync device lists. ([\#6850](#6850))

Synapse 1.10.0rc1 (2020-01-31)


- Add experimental support for updated authorization rules for aliases events, from [MSC2260](matrix-org/matrix-doc#2260). ([\#6787](#6787), [\#6790](#6790), [\#6794](#6794))


- Warn if postgres database has a non-C locale, as that can cause issues when upgrading locales (e.g. due to upgrading OS). ([\#6734](#6734))
- Minor fixes to `PUT /_synapse/admin/v2/users` admin api. ([\#6761](#6761))
- Validate `client_secret` parameter using the regex provided by the Client-Server API, temporarily allowing `:` characters for older clients. The `:` character will be removed in a future release. ([\#6767](#6767))
- Fix persisting redaction events that have been redacted (or otherwise don't have a redacts key). ([\#6771](#6771))
- Fix outbound federation request metrics. ([\#6795](#6795))
- Fix bug where querying a remote user's device keys that weren't cached resulted in only returning a single device. ([\#6796](#6796))
- Fix race in federation sender worker that delayed sending of device updates. ([\#6799](#6799), [\#6800](#6800))
- Fix bug where Synapse didn't invalidate cache of remote users' devices when Synapse left a room. ([\#6801](#6801))
- Fix waking up other workers when remote server is detected to have come back online. ([\#6811](#6811))

Improved Documentation

- Clarify documentation related to `user_dir` and `federation_reader` workers. ([\#6775](#6775))

Internal Changes

- Record room versions in the `rooms` table. ([\#6729](#6729), [\#6788](#6788), [\#6810](#6810))
- Propagate cache invalidates from workers to other workers. ([\#6748](#6748))
- Remove some unnecessary admin handler abstraction methods. ([\#6751](#6751))
- Add some debugging for media storage providers. ([\#6757](#6757))
- Detect unknown remote devices and mark cache as stale. ([\#6776](#6776), [\#6819](#6819))
- Attempt to resync remote users' devices when detected as stale. ([\#6786](#6786))
- Delete current state from the database when server leaves a room. ([\#6792](#6792))
- When a client asks for a remote user's device keys check if the local cache for that user has been marked as potentially stale. ([\#6797](#6797))
- Add background update to clean out left rooms from current state. ([\#6802](#6802), [\#6816](#6816))
- Refactoring work in preparation for changing the event redaction algorithm. ([\#6803](#6803), [\#6805](#6805), [\#6806](#6806), [\#6807](#6807), [\#6820](#6820))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.