Hello community,
here is the log from the commit of package matrix-synapse for openSUSE:Factory
checked in at 2018-08-10 09:51:13
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/matrix-synapse (Old)
and /work/SRC/openSUSE:Factory/.matrix-synapse.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "matrix-synapse"
Fri Aug 10 09:51:13 2018 rev:14 rq:628347 version:0.33.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/matrix-synapse/matrix-synapse.changes
2018-07-23 18:00:49.700943948 +0200
+++ /work/SRC/openSUSE:Factory/.matrix-synapse.new/matrix-synapse.changes
2018-08-10 09:51:17.202415936 +0200
@@ -1,0 +2,10 @@
+Thu Aug 9 07:04:39 UTC 2018 - ok...@suse.com
+
+- Update to 0.33.1
+ * Bug Fixes:
+ * Fix a potential issue where servers could request events for rooms they
+ have not joined
+ * Fix a potential issue where users could see events in private rooms
+ before they joined
+
+-------------------------------------------------------------------
Old:
----
matrix-synapse-0.33.0.obscpio
New:
----
matrix-synapse-0.33.1.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ matrix-synapse.spec ++++++
--- /var/tmp/diff_new_pack.Huz1de/_old 2018-08-10 09:51:17.902417066 +0200
+++ /var/tmp/diff_new_pack.Huz1de/_new 2018-08-10 09:51:17.906417073 +0200
@@ -46,7 +46,7 @@
%define modname synapse
%define short_name matrix-synapse
Name: %{short_name}%{?name_ext}
-Version: 0.33.0
+Version: 0.33.1
Release: 0
Summary: Matrix protocol reference homeserver
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.Huz1de/_old 2018-08-10 09:51:17.954417150 +0200
+++ /var/tmp/diff_new_pack.Huz1de/_new 2018-08-10 09:51:17.954417150 +0200
@@ -5,7 +5,7 @@
<param name="url">git://github.com/matrix-org/synapse.git</param>
<param name="scm">git</param>
<param name="versionrewrite-pattern">v(.*)</param>
- <param name="revision">v0.33.0</param>
+ <param name="revision">v0.33.1</param>
<!-- The git changelog of matrix-org/synapse does not seem to be very
usable. Use the changelog provided on the github release page -->
<param name="changesgenerate">disable</param>
<param name="changesauthor">ok...@suse.com</param>
++++++ matrix-synapse-0.33.0.obscpio -> matrix-synapse-0.33.1.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/matrix-synapse-0.33.0/CHANGES.rst
new/matrix-synapse-0.33.1/CHANGES.rst
--- old/matrix-synapse-0.33.0/CHANGES.rst 2018-07-19 13:12:15.000000000
+0200
+++ new/matrix-synapse-0.33.1/CHANGES.rst 2018-08-02 16:35:42.000000000
+0200
@@ -1,29 +1,49 @@
+Synapse 0.33.1 (2018-08-02)
+===========================
+
+SECURITY FIXES
+--------------
+
+- Fix a potential issue where servers could request events for rooms they have
not joined. (`#3641 <https://github.com/matrix-org/synapse/issues/3641>`_)
+- Fix a potential issue where users could see events in private rooms before
they joined. (`#3642 <https://github.com/matrix-org/synapse/issues/3642>`_)
+
+
Synapse 0.33.0 (2018-07-19)
===========================
+Bugfixes
+--------
+
+- Disable a noisy warning about logcontexts. (`#3561
<https://github.com/matrix-org/synapse/issues/3561>`_)
+
+
+Synapse 0.33.0rc1 (2018-07-18)
+==============================
+
Features
--------
-- Enforce the specified API for report_event (`#3316
<https://github.com/matrix-org/synapse/issues/3316>`_)
+- Enforce the specified API for report_event. (`#3316
<https://github.com/matrix-org/synapse/issues/3316>`_)
- Include CPU time from database threads in request/block metrics. (`#3496
<https://github.com/matrix-org/synapse/issues/3496>`_, `#3501
<https://github.com/matrix-org/synapse/issues/3501>`_)
-- Add CPU metrics for _fetch_event_list (`#3497
<https://github.com/matrix-org/synapse/issues/3497>`_)
-- optimisation for /sync (`#3505
<https://github.com/matrix-org/synapse/issues/3505>`_, `#3521
<https://github.com/matrix-org/synapse/issues/3521>`_)
+- Add CPU metrics for _fetch_event_list. (`#3497
<https://github.com/matrix-org/synapse/issues/3497>`_)
- Optimisation to make handling incoming federation requests more efficient.
(`#3541 <https://github.com/matrix-org/synapse/issues/3541>`_)
Bugfixes
--------
-- Use more portable syntax in our use of the attrs package, widening the
supported versions (`#3498
<https://github.com/matrix-org/synapse/issues/3498>`_)
-- Fix queued federation requests being processed in the wrong order (`#3533
<https://github.com/matrix-org/synapse/issues/3533>`_)
+- Fix a significant performance regression in /sync. (`#3505
<https://github.com/matrix-org/synapse/issues/3505>`_, `#3521
<https://github.com/matrix-org/synapse/issues/3521>`_, `#3530
<https://github.com/matrix-org/synapse/issues/3530>`_, `#3544
<https://github.com/matrix-org/synapse/issues/3544>`_)
+- Use more portable syntax in our use of the attrs package, widening the
supported versions. (`#3498
<https://github.com/matrix-org/synapse/issues/3498>`_)
+- Fix queued federation requests being processed in the wrong order. (`#3533
<https://github.com/matrix-org/synapse/issues/3533>`_)
- Ensure that erasure requests are correctly honoured for publicly accessible
rooms when accessed over federation. (`#3546
<https://github.com/matrix-org/synapse/issues/3546>`_)
-- Disable a noisy warning about logcontexts (`#3561
<https://github.com/matrix-org/synapse/issues/3561>`_)
Misc
----
-- `#3351 <https://github.com/matrix-org/synapse/issues/3351>`_, `#3463
<https://github.com/matrix-org/synapse/issues/3463>`_, `#3464
<https://github.com/matrix-org/synapse/issues/3464>`_, `#3499
<https://github.com/matrix-org/synapse/issues/3499>`_, `#3530
<https://github.com/matrix-org/synapse/issues/3530>`_, `#3534
<https://github.com/matrix-org/synapse/issues/3534>`_, `#3535
<https://github.com/matrix-org/synapse/issues/3535>`_, `#3540
<https://github.com/matrix-org/synapse/issues/3540>`_, `#3544
<https://github.com/matrix-org/synapse/issues/3544>`_
+- Refactoring to improve testability. (`#3351
<https://github.com/matrix-org/synapse/issues/3351>`_, `#3499
<https://github.com/matrix-org/synapse/issues/3499>`_)
+- Use ``isort`` to sort imports. (`#3463
<https://github.com/matrix-org/synapse/issues/3463>`_, `#3464
<https://github.com/matrix-org/synapse/issues/3464>`_, `#3540
<https://github.com/matrix-org/synapse/issues/3540>`_)
+- Use parse and asserts from http.servlet. (`#3534
<https://github.com/matrix-org/synapse/issues/3534>`_, `#3535
<https://github.com/matrix-org/synapse/issues/3535>`_).
Synapse 0.32.2 (2018-07-07)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/matrix-synapse-0.33.0/synapse/__init__.py
new/matrix-synapse-0.33.1/synapse/__init__.py
--- old/matrix-synapse-0.33.0/synapse/__init__.py 2018-07-19
13:12:15.000000000 +0200
+++ new/matrix-synapse-0.33.1/synapse/__init__.py 2018-08-02
16:35:42.000000000 +0200
@@ -17,4 +17,4 @@
""" This is a reference implementation of a Matrix home server.
"""
-__version__ = "0.33.0"
+__version__ = "0.33.1"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/matrix-synapse-0.33.0/synapse/federation/federation_server.py
new/matrix-synapse-0.33.1/synapse/federation/federation_server.py
--- old/matrix-synapse-0.33.0/synapse/federation/federation_server.py
2018-07-19 13:12:15.000000000 +0200
+++ new/matrix-synapse-0.33.1/synapse/federation/federation_server.py
2018-08-02 16:35:42.000000000 +0200
@@ -425,6 +425,7 @@
ret = yield self.handler.on_query_auth(
origin,
event_id,
+ room_id,
signed_auth,
content.get("rejects", []),
content.get("missing", []),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/matrix-synapse-0.33.0/synapse/handlers/events.py
new/matrix-synapse-0.33.1/synapse/handlers/events.py
--- old/matrix-synapse-0.33.0/synapse/handlers/events.py 2018-07-19
13:12:15.000000000 +0200
+++ new/matrix-synapse-0.33.1/synapse/handlers/events.py 2018-08-02
16:35:42.000000000 +0200
@@ -19,10 +19,12 @@
from twisted.internet import defer
from synapse.api.constants import EventTypes, Membership
+from synapse.api.errors import AuthError
from synapse.events import EventBase
from synapse.events.utils import serialize_event
from synapse.types import UserID
from synapse.util.logutils import log_function
+from synapse.visibility import filter_events_for_client
from ._base import BaseHandler
@@ -129,11 +131,13 @@
class EventHandler(BaseHandler):
@defer.inlineCallbacks
- def get_event(self, user, event_id):
+ def get_event(self, user, room_id, event_id):
"""Retrieve a single specified event.
Args:
user (synapse.types.UserID): The user requesting the event
+ room_id (str|None): The expected room id. We'll return None if the
+ event's room does not match.
event_id (str): The event ID to obtain.
Returns:
dict: An event, or None if there is no event matching this ID.
@@ -142,13 +146,26 @@
AuthError if the user does not have the rights to inspect this
event.
"""
- event = yield self.store.get_event(event_id)
+ event = yield self.store.get_event(event_id, check_room_id=room_id)
if not event:
defer.returnValue(None)
return
- if hasattr(event, "room_id"):
- yield self.auth.check_joined_room(event.room_id, user.to_string())
+ users = yield self.store.get_users_in_room(event.room_id)
+ is_peeking = user.to_string() not in users
+
+ filtered = yield filter_events_for_client(
+ self.store,
+ user.to_string(),
+ [event],
+ is_peeking=is_peeking
+ )
+
+ if not filtered:
+ raise AuthError(
+ 403,
+ "You don't have permission to access that event."
+ )
defer.returnValue(event)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/matrix-synapse-0.33.0/synapse/handlers/federation.py
new/matrix-synapse-0.33.1/synapse/handlers/federation.py
--- old/matrix-synapse-0.33.0/synapse/handlers/federation.py 2018-07-19
13:12:15.000000000 +0200
+++ new/matrix-synapse-0.33.1/synapse/handlers/federation.py 2018-08-02
16:35:42.000000000 +0200
@@ -1349,6 +1349,11 @@
def get_state_for_pdu(self, room_id, event_id):
"""Returns the state at the event. i.e. not including said event.
"""
+
+ event = yield self.store.get_event(
+ event_id, allow_none=False, check_room_id=room_id,
+ )
+
state_groups = yield self.store.get_state_groups(
room_id, [event_id]
)
@@ -1359,8 +1364,7 @@
(e.type, e.state_key): e for e in state
}
- event = yield self.store.get_event(event_id)
- if event and event.is_state():
+ if event.is_state():
# Get previous state
if "replaces_state" in event.unsigned:
prev_id = event.unsigned["replaces_state"]
@@ -1391,6 +1395,10 @@
def get_state_ids_for_pdu(self, room_id, event_id):
"""Returns the state at the event. i.e. not including said event.
"""
+ event = yield self.store.get_event(
+ event_id, allow_none=False, check_room_id=room_id,
+ )
+
state_groups = yield self.store.get_state_groups_ids(
room_id, [event_id]
)
@@ -1399,8 +1407,7 @@
_, state = state_groups.items().pop()
results = state
- event = yield self.store.get_event(event_id)
- if event and event.is_state():
+ if event.is_state():
# Get previous state
if "replaces_state" in event.unsigned:
prev_id = event.unsigned["replaces_state"]
@@ -1706,8 +1713,19 @@
defer.returnValue(context)
@defer.inlineCallbacks
- def on_query_auth(self, origin, event_id, remote_auth_chain, rejects,
+ def on_query_auth(self, origin, event_id, room_id, remote_auth_chain,
rejects,
missing):
+ in_room = yield self.auth.check_host_in_room(
+ room_id,
+ origin
+ )
+ if not in_room:
+ raise AuthError(403, "Host not in room.")
+
+ event = yield self.store.get_event(
+ event_id, allow_none=False, check_room_id=room_id
+ )
+
# Just go through and process each event in `remote_auth_chain`. We
# don't want to fall into the trap of `missing` being wrong.
for e in remote_auth_chain:
@@ -1717,7 +1735,6 @@
pass
# Now get the current auth_chain for the event.
- event = yield self.store.get_event(event_id)
local_auth_chain = yield self.store.get_auth_chain(
[auth_id for auth_id, _ in event.auth_events],
include_given=True
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/matrix-synapse-0.33.0/synapse/rest/client/v1/events.py
new/matrix-synapse-0.33.1/synapse/rest/client/v1/events.py
--- old/matrix-synapse-0.33.0/synapse/rest/client/v1/events.py 2018-07-19
13:12:15.000000000 +0200
+++ new/matrix-synapse-0.33.1/synapse/rest/client/v1/events.py 2018-08-02
16:35:42.000000000 +0200
@@ -88,7 +88,7 @@
@defer.inlineCallbacks
def on_GET(self, request, event_id):
requester = yield self.auth.get_user_by_req(request)
- event = yield self.event_handler.get_event(requester.user, event_id)
+ event = yield self.event_handler.get_event(requester.user, None,
event_id)
time_now = self.clock.time_msec()
if event:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/matrix-synapse-0.33.0/synapse/rest/client/v1/room.py
new/matrix-synapse-0.33.1/synapse/rest/client/v1/room.py
--- old/matrix-synapse-0.33.0/synapse/rest/client/v1/room.py 2018-07-19
13:12:15.000000000 +0200
+++ new/matrix-synapse-0.33.1/synapse/rest/client/v1/room.py 2018-08-02
16:35:42.000000000 +0200
@@ -508,7 +508,7 @@
@defer.inlineCallbacks
def on_GET(self, request, room_id, event_id):
requester = yield self.auth.get_user_by_req(request)
- event = yield self.event_handler.get_event(requester.user, event_id)
+ event = yield self.event_handler.get_event(requester.user, room_id,
event_id)
time_now = self.clock.time_msec()
if event:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/matrix-synapse-0.33.0/synapse/storage/event_federation.py
new/matrix-synapse-0.33.1/synapse/storage/event_federation.py
--- old/matrix-synapse-0.33.0/synapse/storage/event_federation.py
2018-07-19 13:12:15.000000000 +0200
+++ new/matrix-synapse-0.33.1/synapse/storage/event_federation.py
2018-08-02 16:35:42.000000000 +0200
@@ -343,6 +343,7 @@
table="events",
keyvalues={
"event_id": event_id,
+ "room_id": room_id,
},
retcol="depth",
allow_none=True,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/matrix-synapse-0.33.0/synapse/storage/events_worker.py
new/matrix-synapse-0.33.1/synapse/storage/events_worker.py
--- old/matrix-synapse-0.33.0/synapse/storage/events_worker.py 2018-07-19
13:12:15.000000000 +0200
+++ new/matrix-synapse-0.33.1/synapse/storage/events_worker.py 2018-08-02
16:35:42.000000000 +0200
@@ -19,7 +19,7 @@
from twisted.internet import defer
-from synapse.api.errors import SynapseError
+from synapse.api.errors import NotFoundError
# these are only included to make the type annotations work
from synapse.events import EventBase # noqa: F401
from synapse.events import FrozenEvent
@@ -76,7 +76,7 @@
@defer.inlineCallbacks
def get_event(self, event_id, check_redacted=True,
get_prev_content=False, allow_rejected=False,
- allow_none=False):
+ allow_none=False, check_room_id=None):
"""Get an event from the database by event_id.
Args:
@@ -87,7 +87,9 @@
include the previous states content in the unsigned field.
allow_rejected (bool): If True return rejected events.
allow_none (bool): If True, return None if no event found, if
- False throw an exception.
+ False throw a NotFoundError
+ check_room_id (str|None): if not None, check the room of the found
event.
+ If there is a mismatch, behave as per allow_none.
Returns:
Deferred : A FrozenEvent.
@@ -99,10 +101,16 @@
allow_rejected=allow_rejected,
)
- if not events and not allow_none:
- raise SynapseError(404, "Could not find event %s" % (event_id,))
+ event = events[0] if events else None
- defer.returnValue(events[0] if events else None)
+ if event is not None and check_room_id is not None:
+ if event.room_id != check_room_id:
+ event = None
+
+ if event is None and not allow_none:
+ raise NotFoundError("Could not find event %s" % (event_id,))
+
+ defer.returnValue(event)
@defer.inlineCallbacks
def get_events(self, event_ids, check_redacted=True,
++++++ matrix-synapse.obsinfo ++++++
--- /var/tmp/diff_new_pack.Huz1de/_old 2018-08-10 09:51:18.250417627 +0200
+++ /var/tmp/diff_new_pack.Huz1de/_new 2018-08-10 09:51:18.254417634 +0200
@@ -1,5 +1,5 @@
name: matrix-synapse
-version: 0.33.0
-mtime: 1531998735
-commit: d69decd5c78c72abef50b597a689e2bc55a39702
+version: 0.33.1
+mtime: 1533220542
+commit: c2a83349f026c964302c6ad50a402c4cd664367f
