-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
e2e upload API allows you to POST keys claiming to belong to other user's UIDs (SYN-496) #1396
Comments
Jira watchers: @leonerd |
@richvdh - is this still a prob? |
Yeah; it's not actually POSTing keys for a different user_id - it is allowing you to quote a different user_id in the key body, which doesn't do you a lot of good, since clients should reject it. OTOH, it would be helpful if synapse did actually reject such malformed key uploads, both to help with development, and as an additional security check. |
Is this a problem? Now that sending key IDs has been deprecated and the endpoint just returns all known keys anyways? https://matrix.org/docs/spec/server_server/unstable#get-matrix-key-v2-server-keyid |
@anoadragon453 I think you're confusing e2e keys and server keys |
I believe you're correct. |
Still an issue, at least for the |
An accidental bug in sytest:
https://github.com/matrix-org/sytest/blob/b5c03fb7764d5d64a4272d5af88bcc46fac90ecd/tests/41end-to-end-keys/01-upload-key.pl#L21
creates a user whose name is
_ANON_-6:localhost
but then manages to POST a key for a differentuser_id
. I expect this ought to have failed with 403 instead.(Imported from https://matrix.org/jira/browse/SYN-496)
(Reported by @leonerd)
The text was updated successfully, but these errors were encountered: