From c3ccad7785cd71372673136f329d5fa098ab9f04 Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Tue, 28 Sep 2021 08:44:19 -0400 Subject: [PATCH] Only do restricted join rules signature checks for room versions 8/9. (#10927) Otherwise the presence of a (bogus, unused) field could cause auth checks to fail. --- changelog.d/10927.bugfix | 1 + synapse/event_auth.py | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 changelog.d/10927.bugfix diff --git a/changelog.d/10927.bugfix b/changelog.d/10927.bugfix new file mode 100644 index 000000000..fd24288c5 --- /dev/null +++ b/changelog.d/10927.bugfix @@ -0,0 +1 @@ +Fix a bug introduced in Synapse v1.40.0 where the signature checks for room version 8/9 could be applied to earlier room versions in some situations. diff --git a/synapse/event_auth.py b/synapse/event_auth.py index fc50a0e71..5d7c6fa85 100644 --- a/synapse/event_auth.py +++ b/synapse/event_auth.py @@ -113,7 +113,8 @@ def check( raise AuthError(403, "Event not signed by sending server") is_invite_via_allow_rule = ( - event.type == EventTypes.Member + room_version_obj.msc3083_join_rules + and event.type == EventTypes.Member and event.membership == Membership.JOIN and "join_authorised_via_users_server" in event.content )