From df04bff7ef6e67c32dfb59a1e5d34007c348a819 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Wed, 15 Jul 2020 18:45:00 +0100 Subject: [PATCH] Reject attempts to join empty rooms over federation We shouldn't allow others to make_join through us if we've left the room; reject such attempts with a 404. Fixes #7835. Fixes #6958. --- changelog.d/7859.bugfix | 1 + synapse/handlers/federation.py | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 changelog.d/7859.bugfix diff --git a/changelog.d/7859.bugfix b/changelog.d/7859.bugfix new file mode 100644 index 000000000000..19cff4b0616b --- /dev/null +++ b/changelog.d/7859.bugfix @@ -0,0 +1 @@ +Fix a bug which allowed empty rooms to be rejoined over federation. diff --git a/synapse/handlers/federation.py b/synapse/handlers/federation.py index e43bccd721f3..df885e45e893 100644 --- a/synapse/handlers/federation.py +++ b/synapse/handlers/federation.py @@ -44,6 +44,7 @@ FederationDeniedError, FederationError, HttpResponseException, + NotFoundError, RequestSendFailed, SynapseError, ) @@ -1439,10 +1440,20 @@ async def on_make_join_request( ) raise SynapseError(403, "User not from origin", Codes.FORBIDDEN) - event_content = {"membership": Membership.JOIN} - + # checking the room version will check that we've actually heard of the room + # (and return a 404 otherwise) room_version = await self.store.get_room_version_id(room_id) + # now check that we are *still* in the room + is_in_room = await self.auth.check_host_in_room(room_id, self.server_name) + if not is_in_room: + logger.info( + "Got /make_join request for room %s we are no longer in", room_id, + ) + raise NotFoundError("Not an active room on this server") + + event_content = {"membership": Membership.JOIN} + builder = self.event_builder_factory.new( room_version, {