Validate client_secret parameter (#6767)

2025-05-03 04:04:54 -04:00 · 2020-01-24 14:28:40 +00:00 · 2020-01-24 14:28:40 +00:00 · 9f7aaf90b5
commit 9f7aaf90b5
parent fa4d609e20
6 changed files with 93 additions and 6 deletions
--- a/synapse/handlers/identity.py
+++ b/synapse/handlers/identity.py
@ -38,7 +38,7 @@ from synapse.api.errors import (
 from synapse.config.emailconfig import ThreepidBehaviour
 from synapse.http.client import SimpleHttpClient
 from synapse.util.hash import sha256_and_url_safe_base64
-from synapse.util.stringutils import random_string
+from synapse.util.stringutils import assert_valid_client_secret, random_string

 from ._base import BaseHandler

@ -84,6 +84,8 @@ class IdentityHandler(BaseHandler):
            raise SynapseError(
                400, "Missing param client_secret in creds", errcode=Codes.MISSING_PARAM
            )
+        assert_valid_client_secret(client_secret)
+
        session_id = creds.get("sid")
        if not session_id:
            raise SynapseError(