Hello community, here is the log from the commit of package matrix-synapse for openSUSE:Factory checked in at 2018-08-10 09:51:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/matrix-synapse (Old) and /work/SRC/openSUSE:Factory/.matrix-synapse.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "matrix-synapse" Fri Aug 10 09:51:13 2018 rev:14 rq:628347 version:0.33.1 Changes: -------- --- /work/SRC/openSUSE:Factory/matrix-synapse/matrix-synapse.changes 2018-07-23 18:00:49.700943948 +0200 +++ /work/SRC/openSUSE:Factory/.matrix-synapse.new/matrix-synapse.changes 2018-08-10 09:51:17.202415936 +0200 @@ -1,0 +2,10 @@ +Thu Aug 9 07:04:39 UTC 2018 - ok...@suse.com + +- Update to 0.33.1 + * Bug Fixes: + * Fix a potential issue where servers could request events for rooms they + have not joined + * Fix a potential issue where users could see events in private rooms + before they joined + +------------------------------------------------------------------- Old: ---- matrix-synapse-0.33.0.obscpio New: ---- matrix-synapse-0.33.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ matrix-synapse.spec ++++++ --- /var/tmp/diff_new_pack.Huz1de/_old 2018-08-10 09:51:17.902417066 +0200 +++ /var/tmp/diff_new_pack.Huz1de/_new 2018-08-10 09:51:17.906417073 +0200 @@ -46,7 +46,7 @@ %define modname synapse %define short_name matrix-synapse Name: %{short_name}%{?name_ext} -Version: 0.33.0 +Version: 0.33.1 Release: 0 Summary: Matrix protocol reference homeserver License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.Huz1de/_old 2018-08-10 09:51:17.954417150 +0200 +++ /var/tmp/diff_new_pack.Huz1de/_new 2018-08-10 09:51:17.954417150 +0200 @@ -5,7 +5,7 @@ <param name="url">git://github.com/matrix-org/synapse.git</param> <param name="scm">git</param> <param name="versionrewrite-pattern">v(.*)</param> - <param name="revision">v0.33.0</param> + <param name="revision">v0.33.1</param> <!-- The git changelog of matrix-org/synapse does not seem to be very usable. Use the changelog provided on the github release page --> <param name="changesgenerate">disable</param> <param name="changesauthor">ok...@suse.com</param> ++++++ matrix-synapse-0.33.0.obscpio -> matrix-synapse-0.33.1.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/matrix-synapse-0.33.0/CHANGES.rst new/matrix-synapse-0.33.1/CHANGES.rst --- old/matrix-synapse-0.33.0/CHANGES.rst 2018-07-19 13:12:15.000000000 +0200 +++ new/matrix-synapse-0.33.1/CHANGES.rst 2018-08-02 16:35:42.000000000 +0200 @@ -1,29 +1,49 @@ +Synapse 0.33.1 (2018-08-02) +=========================== + +SECURITY FIXES +-------------- + +- Fix a potential issue where servers could request events for rooms they have not joined. (`#3641 <https://github.com/matrix-org/synapse/issues/3641>`_) +- Fix a potential issue where users could see events in private rooms before they joined. (`#3642 <https://github.com/matrix-org/synapse/issues/3642>`_) + + Synapse 0.33.0 (2018-07-19) =========================== +Bugfixes +-------- + +- Disable a noisy warning about logcontexts. (`#3561 <https://github.com/matrix-org/synapse/issues/3561>`_) + + +Synapse 0.33.0rc1 (2018-07-18) +============================== + Features -------- -- Enforce the specified API for report_event (`#3316 <https://github.com/matrix-org/synapse/issues/3316>`_) +- Enforce the specified API for report_event. (`#3316 <https://github.com/matrix-org/synapse/issues/3316>`_) - Include CPU time from database threads in request/block metrics. (`#3496 <https://github.com/matrix-org/synapse/issues/3496>`_, `#3501 <https://github.com/matrix-org/synapse/issues/3501>`_) -- Add CPU metrics for _fetch_event_list (`#3497 <https://github.com/matrix-org/synapse/issues/3497>`_) -- optimisation for /sync (`#3505 <https://github.com/matrix-org/synapse/issues/3505>`_, `#3521 <https://github.com/matrix-org/synapse/issues/3521>`_) +- Add CPU metrics for _fetch_event_list. (`#3497 <https://github.com/matrix-org/synapse/issues/3497>`_) - Optimisation to make handling incoming federation requests more efficient. (`#3541 <https://github.com/matrix-org/synapse/issues/3541>`_) Bugfixes -------- -- Use more portable syntax in our use of the attrs package, widening the supported versions (`#3498 <https://github.com/matrix-org/synapse/issues/3498>`_) -- Fix queued federation requests being processed in the wrong order (`#3533 <https://github.com/matrix-org/synapse/issues/3533>`_) +- Fix a significant performance regression in /sync. (`#3505 <https://github.com/matrix-org/synapse/issues/3505>`_, `#3521 <https://github.com/matrix-org/synapse/issues/3521>`_, `#3530 <https://github.com/matrix-org/synapse/issues/3530>`_, `#3544 <https://github.com/matrix-org/synapse/issues/3544>`_) +- Use more portable syntax in our use of the attrs package, widening the supported versions. (`#3498 <https://github.com/matrix-org/synapse/issues/3498>`_) +- Fix queued federation requests being processed in the wrong order. (`#3533 <https://github.com/matrix-org/synapse/issues/3533>`_) - Ensure that erasure requests are correctly honoured for publicly accessible rooms when accessed over federation. (`#3546 <https://github.com/matrix-org/synapse/issues/3546>`_) -- Disable a noisy warning about logcontexts (`#3561 <https://github.com/matrix-org/synapse/issues/3561>`_) Misc ---- -- `#3351 <https://github.com/matrix-org/synapse/issues/3351>`_, `#3463 <https://github.com/matrix-org/synapse/issues/3463>`_, `#3464 <https://github.com/matrix-org/synapse/issues/3464>`_, `#3499 <https://github.com/matrix-org/synapse/issues/3499>`_, `#3530 <https://github.com/matrix-org/synapse/issues/3530>`_, `#3534 <https://github.com/matrix-org/synapse/issues/3534>`_, `#3535 <https://github.com/matrix-org/synapse/issues/3535>`_, `#3540 <https://github.com/matrix-org/synapse/issues/3540>`_, `#3544 <https://github.com/matrix-org/synapse/issues/3544>`_ +- Refactoring to improve testability. (`#3351 <https://github.com/matrix-org/synapse/issues/3351>`_, `#3499 <https://github.com/matrix-org/synapse/issues/3499>`_) +- Use ``isort`` to sort imports. (`#3463 <https://github.com/matrix-org/synapse/issues/3463>`_, `#3464 <https://github.com/matrix-org/synapse/issues/3464>`_, `#3540 <https://github.com/matrix-org/synapse/issues/3540>`_) +- Use parse and asserts from http.servlet. (`#3534 <https://github.com/matrix-org/synapse/issues/3534>`_, `#3535 <https://github.com/matrix-org/synapse/issues/3535>`_). Synapse 0.32.2 (2018-07-07) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/matrix-synapse-0.33.0/synapse/__init__.py new/matrix-synapse-0.33.1/synapse/__init__.py --- old/matrix-synapse-0.33.0/synapse/__init__.py 2018-07-19 13:12:15.000000000 +0200 +++ new/matrix-synapse-0.33.1/synapse/__init__.py 2018-08-02 16:35:42.000000000 +0200 @@ -17,4 +17,4 @@ """ This is a reference implementation of a Matrix home server. """ -__version__ = "0.33.0" +__version__ = "0.33.1" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/matrix-synapse-0.33.0/synapse/federation/federation_server.py new/matrix-synapse-0.33.1/synapse/federation/federation_server.py --- old/matrix-synapse-0.33.0/synapse/federation/federation_server.py 2018-07-19 13:12:15.000000000 +0200 +++ new/matrix-synapse-0.33.1/synapse/federation/federation_server.py 2018-08-02 16:35:42.000000000 +0200 @@ -425,6 +425,7 @@ ret = yield self.handler.on_query_auth( origin, event_id, + room_id, signed_auth, content.get("rejects", []), content.get("missing", []), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/matrix-synapse-0.33.0/synapse/handlers/events.py new/matrix-synapse-0.33.1/synapse/handlers/events.py --- old/matrix-synapse-0.33.0/synapse/handlers/events.py 2018-07-19 13:12:15.000000000 +0200 +++ new/matrix-synapse-0.33.1/synapse/handlers/events.py 2018-08-02 16:35:42.000000000 +0200 @@ -19,10 +19,12 @@ from twisted.internet import defer from synapse.api.constants import EventTypes, Membership +from synapse.api.errors import AuthError from synapse.events import EventBase from synapse.events.utils import serialize_event from synapse.types import UserID from synapse.util.logutils import log_function +from synapse.visibility import filter_events_for_client from ._base import BaseHandler @@ -129,11 +131,13 @@ class EventHandler(BaseHandler): @defer.inlineCallbacks - def get_event(self, user, event_id): + def get_event(self, user, room_id, event_id): """Retrieve a single specified event. Args: user (synapse.types.UserID): The user requesting the event + room_id (str|None): The expected room id. We'll return None if the + event's room does not match. event_id (str): The event ID to obtain. Returns: dict: An event, or None if there is no event matching this ID. @@ -142,13 +146,26 @@ AuthError if the user does not have the rights to inspect this event. """ - event = yield self.store.get_event(event_id) + event = yield self.store.get_event(event_id, check_room_id=room_id) if not event: defer.returnValue(None) return - if hasattr(event, "room_id"): - yield self.auth.check_joined_room(event.room_id, user.to_string()) + users = yield self.store.get_users_in_room(event.room_id) + is_peeking = user.to_string() not in users + + filtered = yield filter_events_for_client( + self.store, + user.to_string(), + [event], + is_peeking=is_peeking + ) + + if not filtered: + raise AuthError( + 403, + "You don't have permission to access that event." + ) defer.returnValue(event) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/matrix-synapse-0.33.0/synapse/handlers/federation.py new/matrix-synapse-0.33.1/synapse/handlers/federation.py --- old/matrix-synapse-0.33.0/synapse/handlers/federation.py 2018-07-19 13:12:15.000000000 +0200 +++ new/matrix-synapse-0.33.1/synapse/handlers/federation.py 2018-08-02 16:35:42.000000000 +0200 @@ -1349,6 +1349,11 @@ def get_state_for_pdu(self, room_id, event_id): """Returns the state at the event. i.e. not including said event. """ + + event = yield self.store.get_event( + event_id, allow_none=False, check_room_id=room_id, + ) + state_groups = yield self.store.get_state_groups( room_id, [event_id] ) @@ -1359,8 +1364,7 @@ (e.type, e.state_key): e for e in state } - event = yield self.store.get_event(event_id) - if event and event.is_state(): + if event.is_state(): # Get previous state if "replaces_state" in event.unsigned: prev_id = event.unsigned["replaces_state"] @@ -1391,6 +1395,10 @@ def get_state_ids_for_pdu(self, room_id, event_id): """Returns the state at the event. i.e. not including said event. """ + event = yield self.store.get_event( + event_id, allow_none=False, check_room_id=room_id, + ) + state_groups = yield self.store.get_state_groups_ids( room_id, [event_id] ) @@ -1399,8 +1407,7 @@ _, state = state_groups.items().pop() results = state - event = yield self.store.get_event(event_id) - if event and event.is_state(): + if event.is_state(): # Get previous state if "replaces_state" in event.unsigned: prev_id = event.unsigned["replaces_state"] @@ -1706,8 +1713,19 @@ defer.returnValue(context) @defer.inlineCallbacks - def on_query_auth(self, origin, event_id, remote_auth_chain, rejects, + def on_query_auth(self, origin, event_id, room_id, remote_auth_chain, rejects, missing): + in_room = yield self.auth.check_host_in_room( + room_id, + origin + ) + if not in_room: + raise AuthError(403, "Host not in room.") + + event = yield self.store.get_event( + event_id, allow_none=False, check_room_id=room_id + ) + # Just go through and process each event in `remote_auth_chain`. We # don't want to fall into the trap of `missing` being wrong. for e in remote_auth_chain: @@ -1717,7 +1735,6 @@ pass # Now get the current auth_chain for the event. - event = yield self.store.get_event(event_id) local_auth_chain = yield self.store.get_auth_chain( [auth_id for auth_id, _ in event.auth_events], include_given=True diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/matrix-synapse-0.33.0/synapse/rest/client/v1/events.py new/matrix-synapse-0.33.1/synapse/rest/client/v1/events.py --- old/matrix-synapse-0.33.0/synapse/rest/client/v1/events.py 2018-07-19 13:12:15.000000000 +0200 +++ new/matrix-synapse-0.33.1/synapse/rest/client/v1/events.py 2018-08-02 16:35:42.000000000 +0200 @@ -88,7 +88,7 @@ @defer.inlineCallbacks def on_GET(self, request, event_id): requester = yield self.auth.get_user_by_req(request) - event = yield self.event_handler.get_event(requester.user, event_id) + event = yield self.event_handler.get_event(requester.user, None, event_id) time_now = self.clock.time_msec() if event: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/matrix-synapse-0.33.0/synapse/rest/client/v1/room.py new/matrix-synapse-0.33.1/synapse/rest/client/v1/room.py --- old/matrix-synapse-0.33.0/synapse/rest/client/v1/room.py 2018-07-19 13:12:15.000000000 +0200 +++ new/matrix-synapse-0.33.1/synapse/rest/client/v1/room.py 2018-08-02 16:35:42.000000000 +0200 @@ -508,7 +508,7 @@ @defer.inlineCallbacks def on_GET(self, request, room_id, event_id): requester = yield self.auth.get_user_by_req(request) - event = yield self.event_handler.get_event(requester.user, event_id) + event = yield self.event_handler.get_event(requester.user, room_id, event_id) time_now = self.clock.time_msec() if event: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/matrix-synapse-0.33.0/synapse/storage/event_federation.py new/matrix-synapse-0.33.1/synapse/storage/event_federation.py --- old/matrix-synapse-0.33.0/synapse/storage/event_federation.py 2018-07-19 13:12:15.000000000 +0200 +++ new/matrix-synapse-0.33.1/synapse/storage/event_federation.py 2018-08-02 16:35:42.000000000 +0200 @@ -343,6 +343,7 @@ table="events", keyvalues={ "event_id": event_id, + "room_id": room_id, }, retcol="depth", allow_none=True, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/matrix-synapse-0.33.0/synapse/storage/events_worker.py new/matrix-synapse-0.33.1/synapse/storage/events_worker.py --- old/matrix-synapse-0.33.0/synapse/storage/events_worker.py 2018-07-19 13:12:15.000000000 +0200 +++ new/matrix-synapse-0.33.1/synapse/storage/events_worker.py 2018-08-02 16:35:42.000000000 +0200 @@ -19,7 +19,7 @@ from twisted.internet import defer -from synapse.api.errors import SynapseError +from synapse.api.errors import NotFoundError # these are only included to make the type annotations work from synapse.events import EventBase # noqa: F401 from synapse.events import FrozenEvent @@ -76,7 +76,7 @@ @defer.inlineCallbacks def get_event(self, event_id, check_redacted=True, get_prev_content=False, allow_rejected=False, - allow_none=False): + allow_none=False, check_room_id=None): """Get an event from the database by event_id. Args: @@ -87,7 +87,9 @@ include the previous states content in the unsigned field. allow_rejected (bool): If True return rejected events. allow_none (bool): If True, return None if no event found, if - False throw an exception. + False throw a NotFoundError + check_room_id (str|None): if not None, check the room of the found event. + If there is a mismatch, behave as per allow_none. Returns: Deferred : A FrozenEvent. @@ -99,10 +101,16 @@ allow_rejected=allow_rejected, ) - if not events and not allow_none: - raise SynapseError(404, "Could not find event %s" % (event_id,)) + event = events[0] if events else None - defer.returnValue(events[0] if events else None) + if event is not None and check_room_id is not None: + if event.room_id != check_room_id: + event = None + + if event is None and not allow_none: + raise NotFoundError("Could not find event %s" % (event_id,)) + + defer.returnValue(event) @defer.inlineCallbacks def get_events(self, event_ids, check_redacted=True, ++++++ matrix-synapse.obsinfo ++++++ --- /var/tmp/diff_new_pack.Huz1de/_old 2018-08-10 09:51:18.250417627 +0200 +++ /var/tmp/diff_new_pack.Huz1de/_new 2018-08-10 09:51:18.254417634 +0200 @@ -1,5 +1,5 @@ name: matrix-synapse -version: 0.33.0 -mtime: 1531998735 -commit: d69decd5c78c72abef50b597a689e2bc55a39702 +version: 0.33.1 +mtime: 1533220542 +commit: c2a83349f026c964302c6ad50a402c4cd664367f