mirror of
https://mau.dev/maunium/synapse.git
synced 2024-10-01 01:36:05 -04:00
Merge branch 'master' of github.com:matrix-org/synapse into develop
This commit is contained in:
commit
58930da52b
@ -1,3 +1,11 @@
|
|||||||
|
Changes in synapse v0.16.1-r1 (2016-07-08)
|
||||||
|
==========================================
|
||||||
|
|
||||||
|
THIS IS A CRITICAL SECURITY UPDATE.
|
||||||
|
|
||||||
|
This fixes a bug which allowed users' accounts to be accessed by unauthorised
|
||||||
|
users.
|
||||||
|
|
||||||
Changes in synapse v0.16.1 (2016-06-20)
|
Changes in synapse v0.16.1 (2016-06-20)
|
||||||
=======================================
|
=======================================
|
||||||
|
|
||||||
|
@ -16,4 +16,4 @@
|
|||||||
""" This is a reference implementation of a Matrix home server.
|
""" This is a reference implementation of a Matrix home server.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
__version__ = "0.16.1"
|
__version__ = "0.16.1-r1"
|
||||||
|
@ -637,17 +637,22 @@ class Auth(object):
|
|||||||
try:
|
try:
|
||||||
macaroon = pymacaroons.Macaroon.deserialize(macaroon_str)
|
macaroon = pymacaroons.Macaroon.deserialize(macaroon_str)
|
||||||
|
|
||||||
self.validate_macaroon(macaroon, rights, self.hs.config.expire_access_token)
|
|
||||||
|
|
||||||
user_prefix = "user_id = "
|
user_prefix = "user_id = "
|
||||||
user = None
|
user = None
|
||||||
|
user_id = None
|
||||||
guest = False
|
guest = False
|
||||||
for caveat in macaroon.caveats:
|
for caveat in macaroon.caveats:
|
||||||
if caveat.caveat_id.startswith(user_prefix):
|
if caveat.caveat_id.startswith(user_prefix):
|
||||||
user = UserID.from_string(caveat.caveat_id[len(user_prefix):])
|
user_id = caveat.caveat_id[len(user_prefix):]
|
||||||
|
user = UserID.from_string(user_id)
|
||||||
elif caveat.caveat_id == "guest = true":
|
elif caveat.caveat_id == "guest = true":
|
||||||
guest = True
|
guest = True
|
||||||
|
|
||||||
|
self.validate_macaroon(
|
||||||
|
macaroon, rights, self.hs.config.expire_access_token,
|
||||||
|
user_id=user_id,
|
||||||
|
)
|
||||||
|
|
||||||
if user is None:
|
if user is None:
|
||||||
raise AuthError(
|
raise AuthError(
|
||||||
self.TOKEN_NOT_FOUND_HTTP_STATUS, "No user caveat in macaroon",
|
self.TOKEN_NOT_FOUND_HTTP_STATUS, "No user caveat in macaroon",
|
||||||
@ -692,7 +697,7 @@ class Auth(object):
|
|||||||
errcode=Codes.UNKNOWN_TOKEN
|
errcode=Codes.UNKNOWN_TOKEN
|
||||||
)
|
)
|
||||||
|
|
||||||
def validate_macaroon(self, macaroon, type_string, verify_expiry):
|
def validate_macaroon(self, macaroon, type_string, verify_expiry, user_id):
|
||||||
"""
|
"""
|
||||||
validate that a Macaroon is understood by and was signed by this server.
|
validate that a Macaroon is understood by and was signed by this server.
|
||||||
|
|
||||||
@ -707,7 +712,7 @@ class Auth(object):
|
|||||||
v = pymacaroons.Verifier()
|
v = pymacaroons.Verifier()
|
||||||
v.satisfy_exact("gen = 1")
|
v.satisfy_exact("gen = 1")
|
||||||
v.satisfy_exact("type = " + type_string)
|
v.satisfy_exact("type = " + type_string)
|
||||||
v.satisfy_general(lambda c: c.startswith("user_id = "))
|
v.satisfy_exact("user_id = %s" % user_id)
|
||||||
v.satisfy_exact("guest = true")
|
v.satisfy_exact("guest = true")
|
||||||
if verify_expiry:
|
if verify_expiry:
|
||||||
v.satisfy_general(self._verify_expiry)
|
v.satisfy_general(self._verify_expiry)
|
||||||
|
@ -32,7 +32,7 @@ def create_engine(database_config):
|
|||||||
|
|
||||||
if engine_class:
|
if engine_class:
|
||||||
module = importlib.import_module(name)
|
module = importlib.import_module(name)
|
||||||
return engine_class(module)
|
return engine_class(module, database_config)
|
||||||
|
|
||||||
raise RuntimeError(
|
raise RuntimeError(
|
||||||
"Unsupported database engine '%s'" % (name,)
|
"Unsupported database engine '%s'" % (name,)
|
||||||
|
@ -19,9 +19,10 @@ from ._base import IncorrectDatabaseSetup
|
|||||||
class PostgresEngine(object):
|
class PostgresEngine(object):
|
||||||
single_threaded = False
|
single_threaded = False
|
||||||
|
|
||||||
def __init__(self, database_module):
|
def __init__(self, database_module, database_config):
|
||||||
self.module = database_module
|
self.module = database_module
|
||||||
self.module.extensions.register_type(self.module.extensions.UNICODE)
|
self.module.extensions.register_type(self.module.extensions.UNICODE)
|
||||||
|
self.synchronous_commit = database_config.get("synchronous_commit", True)
|
||||||
|
|
||||||
def check_database(self, txn):
|
def check_database(self, txn):
|
||||||
txn.execute("SHOW SERVER_ENCODING")
|
txn.execute("SHOW SERVER_ENCODING")
|
||||||
@ -40,9 +41,19 @@ class PostgresEngine(object):
|
|||||||
db_conn.set_isolation_level(
|
db_conn.set_isolation_level(
|
||||||
self.module.extensions.ISOLATION_LEVEL_REPEATABLE_READ
|
self.module.extensions.ISOLATION_LEVEL_REPEATABLE_READ
|
||||||
)
|
)
|
||||||
|
# Asynchronous commit, don't wait for the server to call fsync before
|
||||||
|
# ending the transaction.
|
||||||
|
# https://www.postgresql.org/docs/current/static/wal-async-commit.html
|
||||||
|
if not self.synchronous_commit:
|
||||||
|
cursor = db_conn.cursor()
|
||||||
|
cursor.execute("SET synchronous_commit TO OFF")
|
||||||
|
cursor.close()
|
||||||
|
|
||||||
def is_deadlock(self, error):
|
def is_deadlock(self, error):
|
||||||
if isinstance(error, self.module.DatabaseError):
|
if isinstance(error, self.module.DatabaseError):
|
||||||
|
# https://www.postgresql.org/docs/current/static/errcodes-appendix.html
|
||||||
|
# "40001" serialization_failure
|
||||||
|
# "40P01" deadlock_detected
|
||||||
return error.pgcode in ["40001", "40P01"]
|
return error.pgcode in ["40001", "40P01"]
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
@ -21,7 +21,7 @@ import struct
|
|||||||
class Sqlite3Engine(object):
|
class Sqlite3Engine(object):
|
||||||
single_threaded = True
|
single_threaded = True
|
||||||
|
|
||||||
def __init__(self, database_module):
|
def __init__(self, database_module, database_config):
|
||||||
self.module = database_module
|
self.module = database_module
|
||||||
|
|
||||||
def check_database(self, txn):
|
def check_database(self, txn):
|
||||||
|
Loading…
Reference in New Issue
Block a user