Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Enforce MXID grammar for new users created by appservices #10246

Open
aaronraimist opened this issue Jun 24, 2021 · 2 comments
Open

Enforce MXID grammar for new users created by appservices #10246

aaronraimist opened this issue Jun 24, 2021 · 2 comments
Labels
A-Application-Service Related to AS support A-Validation 500 (mostly) errors due to lack of event/parameter validation S-Minor Blocks non-critical functionality, workarounds exist. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Milestone
Revisit: Next Year

Comments

@aaronraimist
Copy link
Contributor

Application services like the IRC bridge are apparently allowed to register new users with uppercase letters in their usernames. matrix-org/matrix-appservice-irc#1399

Once the bridge is fixed, Synapse should start enforcing the spec.
@aaronraimist aaronraimist mentioned this issue Jun 24, 2021
Open
@babolivier babolivier added P2 S-Minor Blocks non-critical functionality, workarounds exist. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. labels Jun 25, 2021
@callahad callahad removed the P2 label Nov 2, 2021
@callahad callahad added this to the Revisit: Next Year milestone Nov 2, 2021
@MadLittleMods MadLittleMods added A-Application-Service Related to AS support A-Validation 500 (mostly) errors due to lack of event/parameter validation labels Dec 23, 2022
@clokep clokep mentioned this issue May 4, 2023
Merged
@clokep
Copy link
Member

clokep commented May 4, 2023

In order to do this we need to mess with the logic of RegisterRestServlet.on_POST, in particular we have slightly different logic for the desired_username for appservices vs "normal" registrations:

I think to fix this we would want to:

  1. Add an extra parameter boolean parameter to check_username (is_appservice, maybe?).
  2. If is_appservice, skip the check rejecting names that start with _.
  3. Ensure that the lowercasing & check_username happens for all registrations.

@clokep
Copy link
Member

clokep commented Aug 10, 2023

Appservices have a fallback to check the user property in addition to the username property. (This is fine to keep.)

Note that this was #9547, but was removed in #15928.

@matrixbot matrixbot mentioned this issue Dec 21, 2023
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
A-Application-Service Related to AS support A-Validation 500 (mostly) errors due to lack of event/parameter validation S-Minor Blocks non-critical functionality, workarounds exist. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Projects
None yet
Milestone
Revisit: Next Year
Development

No branches or pull requests
5 participants
@callahad @clokep @MadLittleMods @babolivier @aaronraimist