mirror of
https://git.anonymousland.org/anonymousland/synapse-product.git
synced 2024-12-11 18:24:20 -05:00
Remove : from allowed client_secret chars (#8101)
Closes: https://github.com/matrix-org/synapse/issues/6766 Equivalent Sydent PR: https://github.com/matrix-org/sydent/pull/309 I believe it's now time to remove the extra allowed `:` from `client_secret` parameters.
This commit is contained in:
parent
408aef8276
commit
5cf7c12995
14
CHANGES.md
14
CHANGES.md
@ -1,3 +1,17 @@
|
||||
For the next release
|
||||
====================
|
||||
|
||||
Removal warning
|
||||
---------------
|
||||
|
||||
Some older clients used a
|
||||
[disallowed character](https://matrix.org/docs/spec/client_server/r0.6.1#post-matrix-client-r0-register-email-requesttoken)
|
||||
(`:`) in the `client_secret` parameter of various endpoints. The incorrect
|
||||
behaviour was allowed for backwards compatibility, but is now being removed
|
||||
from Synapse as most users have updated their client. Further context can be
|
||||
found at [\#6766](https://github.com/matrix-org/synapse/issues/6766).
|
||||
|
||||
|
||||
Synapse 1.19.0 (2020-08-17)
|
||||
===========================
|
||||
|
||||
|
1
changelog.d/8101.bugfix
Normal file
1
changelog.d/8101.bugfix
Normal file
@ -0,0 +1 @@
|
||||
Synapse now correctly enforces the valid characters in the `client_secret` parameter used in various endpoints.
|
@ -24,9 +24,7 @@ from synapse.api.errors import Codes, SynapseError
|
||||
_string_with_symbols = string.digits + string.ascii_letters + ".,;:^&*-_+=#~@"
|
||||
|
||||
# https://matrix.org/docs/spec/client_server/r0.6.0#post-matrix-client-r0-register-email-requesttoken
|
||||
# Note: The : character is allowed here for older clients, but will be removed in a
|
||||
# future release. Context: https://github.com/matrix-org/synapse/issues/6766
|
||||
client_secret_regex = re.compile(r"^[0-9a-zA-Z\.\=\_\-\:]+$")
|
||||
client_secret_regex = re.compile(r"^[0-9a-zA-Z\.\=\_\-]+$")
|
||||
|
||||
# random_string and random_string_with_symbols are used for a range of things,
|
||||
# some cryptographically important, some less so. We use SystemRandom to make sure
|
||||
|
@ -28,9 +28,6 @@ class StringUtilsTestCase(unittest.TestCase):
|
||||
"_--something==_",
|
||||
"...--==-18913",
|
||||
"8Dj2odd-e9asd.cd==_--ddas-secret-",
|
||||
# We temporarily allow : characters: https://github.com/matrix-org/synapse/issues/6766
|
||||
# To be removed in a future release
|
||||
"SECRET:1234567890",
|
||||
]
|
||||
|
||||
bad = [
|
||||
|
Loading…
Reference in New Issue
Block a user