Require body for read receipts with user-agent exceptions (#11157)

Co-authored-by: reivilibre <olivier@librepush.net>
2025-05-08 04:34:58 -04:00 · 2021-11-09 02:26:07 -08:00 · 2021-11-09 02:26:07 -08:00 · 820337e6a4
commit 820337e6a4
parent 84f235aea4
3 changed files with 40 additions and 3 deletions
--- a/synapse/rest/client/receipts.py
+++ b/synapse/rest/client/receipts.py
@ -13,10 +13,12 @@
 # limitations under the License.

 import logging
+import re
 from typing import TYPE_CHECKING, Tuple

 from synapse.api.constants import ReadReceiptEventFields
 from synapse.api.errors import Codes, SynapseError
+from synapse.http import get_request_user_agent
 from synapse.http.server import HttpServer
 from synapse.http.servlet import RestServlet, parse_json_object_from_request
 from synapse.http.site import SynapseRequest
@ -24,6 +26,8 @@ from synapse.types import JsonDict

 from ._base import client_patterns

+pattern = re.compile(r"(?:Element|SchildiChat)/1\.[012]\.")
+
 if TYPE_CHECKING:
    from synapse.server import HomeServer

@ -52,7 +56,13 @@ class ReceiptRestServlet(RestServlet):
        if receipt_type != "m.read":
            raise SynapseError(400, "Receipt type must be 'm.read'")

-        body = parse_json_object_from_request(request, allow_empty_body=True)
+        # Do not allow older SchildiChat and Element Android clients (prior to Element/1.[012].x) to send an empty body.
+        user_agent = get_request_user_agent(request)
+        allow_empty_body = False
+        if "Android" in user_agent:
+            if pattern.match(user_agent) or "Riot" in user_agent:
+                allow_empty_body = True
+        body = parse_json_object_from_request(request, allow_empty_body)
        hidden = body.get(ReadReceiptEventFields.MSC2285_HIDDEN, False)

        if not isinstance(hidden, bool):