Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Disable GET /_matrix/client/r0/register/available if registration is disabled #6066

Closed
anoadragon453 opened this issue Sep 19, 2019 · 1 comment
Closed

Disable GET /_matrix/client/r0/register/available if registration is disabled #6066

anoadragon453 opened this issue Sep 19, 2019 · 1 comment
Labels
Security

Comments

@anoadragon453
Copy link
Member

Otherwise we're leaking server usernames when we don't need to be.
@anoadragon453 anoadragon453 mentioned this issue Sep 21, 2019
Merged
@anoadragon453
Copy link
Member Author

This is fixed by #6082

richvdh pushed a commit that referenced this issue Sep 23, 2019
@anoadragon453 @richvdh
Disable /register/available if registration is disabled (#6082)
1b519e0 
Fixes #6066

This register endpoint should be disabled if registration is disabled, otherwise we're giving anyone the ability to check if a username exists on a server when we don't need to be.

Error code is 403 (Forbidden) as that's the same returned by /register when registration is disabled.
@richvdh richvdh closed this as completed Sep 23, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@callahad @anoadragon453 @richvdh