Matrix-Mirrors/anonymousland-synapse
1
0
Fork 0
mirror of https://git.anonymousland.org/anonymousland/synapse.git synced 2025-08-07 11:12:15 -04:00
Code Issues Projects Releases Packages Wiki Activity

Only assert valid next_link params when provided (#8417)

Browse source 
Broken in https://github.com/matrix-org/synapse/pull/8275 and has yet to be put in a release. Fixes https://github.com/matrix-org/synapse/issues/8418.

`next_link` is an optional parameter. However, we were checking whether the `next_link` param was valid, even if it wasn't provided. In that case, `next_link` was `None`, which would clearly not be a valid URL.

This would prevent password reset and other operations if `next_link` was not provided, and the `next_link_domain_whitelist` config option was set.
This commit is contained in:
Andrew Morgan 2020-09-29 12:36:44 +01:00 committed by GitHub
parent 866c84da8d
commit 1c6b8752b8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 16 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

15
synapse/rest/client/v2_alpha/account.py
View file

@ -103,8 +103,9 @@ class EmailPasswordRequestTokenRestServlet(RestServlet):
Codes.THREEPID_DENIED,
)
# Raise if the provided next_link value isn't valid
assert_valid_next_link(self.hs, next_link)
if next_link:
# Raise if the provided next_link value isn't valid
assert_valid_next_link(self.hs, next_link)
# The email will be sent to the stored address.
# This avoids a potential account hijack by requesting a password reset to
@ -379,8 +380,9 @@ class EmailThreepidRequestTokenRestServlet(RestServlet):
Codes.THREEPID_DENIED,
)
# Raise if the provided next_link value isn't valid
assert_valid_next_link(self.hs, next_link)
if next_link:
# Raise if the provided next_link value isn't valid
assert_valid_next_link(self.hs, next_link)
existing_user_id = await self.store.get_user_id_by_threepid("email", email)
@ -453,8 +455,9 @@ class MsisdnThreepidRequestTokenRestServlet(RestServlet):
Codes.THREEPID_DENIED,
)
# Raise if the provided next_link value isn't valid
assert_valid_next_link(self.hs, next_link)
if next_link:
# Raise if the provided next_link value isn't valid
assert_valid_next_link(self.hs, next_link)
existing_user_id = await self.store.get_user_id_by_threepid("msisdn", msisdn)