From 61fb2127295d6af587c4835591285d3cfbcffc20 Mon Sep 17 00:00:00 2001
From: Patrick Cloke <patrickc@matrix.org>
Date: Wed, 10 May 2023 14:23:16 -0400
Subject: [PATCH 1/5] Do not error if sending an invalid membership event.

---
 synapse/event_auth.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/synapse/event_auth.py b/synapse/event_auth.py
index 25898b95a570..cbb458609f47 100644
--- a/synapse/event_auth.py
+++ b/synapse/event_auth.py
@@ -1054,9 +1054,14 @@ def _verify_third_party_invite(
     """
     if "third_party_invite" not in event.content:
         return False
-    if "signed" not in event.content["third_party_invite"]:
+    third_party_invite = event.content["third_party_invite"]
+    if not isinstance(third_party_invite, collections.abc.Mapping):
+        return False
+    if "signed" not in third_party_invite:
+        return False
+    signed = third_party_invite["signed"]
+    if not isinstance(signed, collections.abc.Mapping):
         return False
-    signed = event.content["third_party_invite"]["signed"]
     for key in {"mxid", "token"}:
         if key not in signed:
             return False

From 3c9ec0b25255d92ad6eb5ceeb43707f5d2aa23af Mon Sep 17 00:00:00 2001
From: Patrick Cloke <patrickc@matrix.org>
Date: Wed, 10 May 2023 14:23:32 -0400
Subject: [PATCH 2/5] Remove identity check.

---
 synapse/event_auth.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/synapse/event_auth.py b/synapse/event_auth.py
index cbb458609f47..9dc80f40f128 100644
--- a/synapse/event_auth.py
+++ b/synapse/event_auth.py
@@ -1080,8 +1080,6 @@ def _verify_third_party_invite(
 
     if signed["mxid"] != event.state_key:
         return False
-    if signed["token"] != token:
-        return False
 
     for public_key_object in get_public_keys(invite_event):
         public_key = public_key_object["public_key"]

From 748e9b60e2091aeb587b34be2cd16e6c4ce7d269 Mon Sep 17 00:00:00 2001
From: Patrick Cloke <patrickc@matrix.org>
Date: Wed, 10 May 2023 14:25:28 -0400
Subject: [PATCH 3/5] Newsfragment

---
 changelog.d/15564.bugfix | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog.d/15564.bugfix

diff --git a/changelog.d/15564.bugfix b/changelog.d/15564.bugfix
new file mode 100644
index 000000000000..667114ba421f
--- /dev/null
+++ b/changelog.d/15564.bugfix
@@ -0,0 +1 @@
+Fix a long-standing bug where an invalid membership event could cause an internal server error.

From c07565734609698386a1493dd459582d32e495df Mon Sep 17 00:00:00 2001
From: Patrick Cloke <patrickc@matrix.org>
Date: Fri, 12 May 2023 09:53:19 -0400
Subject: [PATCH 4/5] Fix type hint.

---
 synapse/event_auth.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/synapse/event_auth.py b/synapse/event_auth.py
index 9dc80f40f128..a25e94254284 100644
--- a/synapse/event_auth.py
+++ b/synapse/event_auth.py
@@ -1091,7 +1091,9 @@ def _verify_third_party_invite(
                     verify_key = decode_verify_key_bytes(
                         key_name, decode_base64(public_key)
                     )
-                    verify_signed_json(signed, server, verify_key)
+                    # verify_signed_json incorrectly states it wants a dict, it
+                    # just needs a mapping.
+                    verify_signed_json(signed, server, verify_key)  # type: ignore[arg-type]
 
                     # We got the public key from the invite, so we know that the
                     # correct server signed the signed bundle.

From 45b0bbf89d8722ced60127809e24c70ef6309fa1 Mon Sep 17 00:00:00 2001
From: Patrick Cloke <patrickc@matrix.org>
Date: Mon, 15 May 2023 11:05:26 -0400
Subject: [PATCH 5/5] Also check for signatures.

---
 synapse/event_auth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/synapse/event_auth.py b/synapse/event_auth.py
index a25e94254284..b4b43ec4d720 100644
--- a/synapse/event_auth.py
+++ b/synapse/event_auth.py
@@ -1062,7 +1062,7 @@ def _verify_third_party_invite(
     signed = third_party_invite["signed"]
     if not isinstance(signed, collections.abc.Mapping):
         return False
-    for key in {"mxid", "token"}:
+    for key in {"mxid", "token", "signatures"}:
         if key not in signed:
             return False