Check *all* auth events for room id and rejection (#11009)

This fixes a bug where we would accept an event whose `auth_events` include rejected events, if the rejected event was shadowed by another `auth_event` with same `(type, state_key)`. The approach is to pass a list of auth events into `check_auth_rules_for_event` instead of a dict, which of course means updating the call sites. This is an extension of #10956.
2025-05-09 16:24:56 -04:00 · 2021-10-18 19:28:30 +02:00 · 2021-10-18 19:28:30 +02:00 · a5d2ea3d08
commit a5d2ea3d08
parent 73743b8ad1
8 changed files with 122 additions and 85 deletions
--- a/synapse/handlers/federation.py
+++ b/synapse/handlers/federation.py
@ -1167,13 +1167,11 @@ class FederationHandler:
                logger.info("Failed to find auth event %r", e_id)

        for e in itertools.chain(auth_events, state, [event]):
-            auth_for_e = {
-                (event_map[e_id].type, event_map[e_id].state_key): event_map[e_id]
-                for e_id in e.auth_event_ids()
-                if e_id in event_map
-            }
+            auth_for_e = [
+                event_map[e_id] for e_id in e.auth_event_ids() if e_id in event_map
+            ]
            if create_event:
-                auth_for_e[(EventTypes.Create, "")] = create_event
+                auth_for_e.append(create_event)

            try:
                validate_event_for_room_version(room_version, e)