Merge pull request #2662 from matrix-org/rav/fix_mxids_again

Downcase userid on registration
2024-10-01 11:49:51 -04:00 · 2017-11-10 13:57:34 +00:00 · 2017-11-10 13:57:34 +00:00 · 4d0414c714
commit 4d0414c714
parent 1282086f58 e508145c9b
3 changed files with 32 additions and 5 deletions
--- a/synapse/handlers/register.py
+++ b/synapse/handlers/register.py
@ -15,7 +15,6 @@

 """Contains functions for registering clients."""
 import logging
-import urllib

 from twisted.internet import defer

@ -23,6 +22,7 @@ from synapse.api.errors import (
    AuthError, Codes, SynapseError, RegistrationError, InvalidCaptchaError
 )
 from synapse.http.client import CaptchaServerHttpClient
+from synapse import types
 from synapse.types import UserID
 from synapse.util.async import run_on_reactor
 from ._base import BaseHandler
@ -47,7 +47,7 @@ class RegistrationHandler(BaseHandler):
    @defer.inlineCallbacks
    def check_username(self, localpart, guest_access_token=None,
                       assigned_user_id=None):
-        if urllib.quote(localpart.encode('utf-8')) != localpart:
+        if types.contains_invalid_mxid_characters(localpart):
            raise SynapseError(
                400,
                "User ID can only contain characters a-z, 0-9, or '=_-./'",
@ -253,7 +253,7 @@ class RegistrationHandler(BaseHandler):
        """
        Registers email_id as SAML2 Based Auth.
        """
-        if urllib.quote(localpart) != localpart:
+        if types.contains_invalid_mxid_characters(localpart):
            raise SynapseError(
                400,
                "User ID can only contain characters a-z, 0-9, or '=_-./'",
--- a/synapse/rest/client/v1/register.py
+++ b/synapse/rest/client/v1/register.py
@ -359,7 +359,7 @@ class RegisterRestServlet(ClientV1RestServlet):
        if compare_digest(want_mac, got_mac):
            handler = self.handlers.registration_handler
            user_id, token = yield handler.register(
-                localpart=user,
+                localpart=user.lower(),
                password=password,
                admin=bool(admin),
            )
--- a/synapse/rest/client/v2_alpha/register.py
+++ b/synapse/rest/client/v2_alpha/register.py
@ -224,6 +224,12 @@ class RegisterRestServlet(RestServlet):
            # 'user' key not 'username'). Since this is a new addition, we'll
            # fallback to 'username' if they gave one.
            desired_username = body.get("user", desired_username)
+
+            # XXX we should check that desired_username is valid. Currently
+            # we give appservices carte blanche for any insanity in mxids,
+            # because the IRC bridges rely on being able to register stupid
+            # IDs.
+
            access_token = get_access_token_from_request(request)

            if isinstance(desired_username, basestring):
@ -233,6 +239,15 @@ class RegisterRestServlet(RestServlet):
            defer.returnValue((200, result))  # we throw for non 200 responses
            return

+        # for either shared secret or regular registration, downcase the
+        # provided username before attempting to register it. This should mean
+        # that people who try to register with upper-case in their usernames
+        # don't get a nasty surprise. (Note that we treat username
+        # case-insenstively in login, so they are free to carry on imagining
+        # that their username is CrAzYh4cKeR if that keeps them happy)
+        if desired_username is not None:
+            desired_username = desired_username.lower()
+
        # == Shared Secret Registration == (e.g. create new user scripts)
        if 'mac' in body:
            # FIXME: Should we really be determining if this is shared secret
@ -336,6 +351,9 @@ class RegisterRestServlet(RestServlet):
            new_password = params.get("password", None)
            guest_access_token = params.get("guest_access_token", None)

+            if desired_username is not None:
+                desired_username = desired_username.lower()
+
            (registered_user_id, _) = yield self.registration_handler.register(
                localpart=desired_username,
                password=new_password,
@ -417,13 +435,22 @@ class RegisterRestServlet(RestServlet):
    def _do_shared_secret_registration(self, username, password, body):
        if not self.hs.config.registration_shared_secret:
            raise SynapseError(400, "Shared secret registration is not enabled")
+        if not username:
+            raise SynapseError(
+                400, "username must be specified", errcode=Codes.BAD_JSON,
+            )

-        user = username.encode("utf-8")
+        # use the username from the original request rather than the
+        # downcased one in `username` for the mac calculation
+        user = body["username"].encode("utf-8")

        # str() because otherwise hmac complains that 'unicode' does not
        # have the buffer interface
        got_mac = str(body["mac"])

+        # FIXME this is different to the /v1/register endpoint, which
+        # includes the password and admin flag in the hashed text. Why are
+        # these different?
        want_mac = hmac.new(
            key=self.hs.config.registration_shared_secret,
            msg=user,