This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
Event auth rules are not correctly followed #6643
Labels
A-Spec-Compliance
places where synapse does not conform to the spec
T-Enhancement
New features, changes in functionality, improvements in performance, or user-facing enhancements.
z-bug
(Deprecated Label)
Comments
MadLittleMods
added
A-Spec-Compliance
richvdh
added a commit
that referenced
this issue
Oct 18, 2021
Currently, when we receive an event whose auth_events differ from those we expect, we state-resolve between the two state sets, and check that the event passes auth based on the resolved state. This means that it's possible for us to accept events which don't pass auth at their declared auth_events (or where the auth events themselves were rejected), leading to problems down the line like #10083. This change means we will: * ignore any events where we cannot find the auth events * reject any events whose auth events were rejected * reject any events which do not pass auth at their declared auth_events. Together with a whole raft of previous work, this is a partial fix to #9595. Fixes #6643. Based on #11009.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
As per #6605 (comment):
Different code paths use different values of
auth_eventswhen performing event auth: some use a locally-calculated set of events, whereas others use the auth events provided by the event itself.The spec says:
This is not happening correctly, which allows malformed events into the state of the room.
The text was updated successfully, but these errors were encountered: