Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reply is highlighted even without actual mention when MXID substring matches username #11132

Closed
pacien opened this issue Oct 12, 2019 · 8 comments
Labels

Comments

@pacien
Copy link
Contributor

pacien commented Oct 12, 2019

Description

My username matches my domain (MXID of the form @<username>:<username>.tld).
As a result, all replies to messages from any other user on my homeserver are highlighted in my Riot session, flooding me with urgent notifications without intended mentions.

Steps to reproduce

Let @alice:alice.tld, @bob:alice.tld and @caroline:alice.tld be three users on the homeserver alice.tld. All three are members of a room in which:

  1. Bob sends a message that does not mention Alice.
  2. Caroline replies to Bob's message using the reply feature, still not mentionning Alice.
  3. Alice's Riot highlights Caroline's message and Alice is notified, even though nobody intended to mention her.

Remediation?

Do not allow partial matches on MXIDs contained in messages for highlighting purposes.
A highlight should require the whole MXID to match.

Version information

  • Platforms: all
  • Version: 1.4.1
@t3chguy
Copy link
Member

t3chguy commented Oct 12, 2019

Highlights are calculated server side, not in riot

@pacien
Copy link
Contributor Author

pacien commented Oct 12, 2019

I haven't tested it, but the issue may probably also arise when someone's username is an infix of someone else's username: @pierre:domain.tld might get notified when someone replies to a message from @jean.pierre@domain.tld. To confirm.

Highlights are calculated server side, not in riot

Should I submit this to the Synapse bug tracker instead?
Submitted on Synapse's bug tracker: matrix-org/synapse#6202

@t3chguy
Copy link
Member

t3chguy commented Oct 12, 2019

I think it's more of a matrix spec thing

@turt2live
Copy link
Member

Closing in favour of #7874

@pacien
Copy link
Contributor Author

pacien commented Oct 12, 2019

Closing in favour of #7874

#7874 looks like a different issue in which messages contain pings hidden in the reply chain.

The current issue is about the way mentions are being matched incorrectly in the body field. In the given example, Alice gets notified even though no actual mention of her has ever been sent by anyone.

Please re-open.

@turt2live
Copy link
Member

Ah, well: in that case you need to adjust your notification preferences. Disable notifications for your username in settings, not just your display name. I recommend using keywords instead of the default options (it's how I survive).

Unfortunately notifications are complicated, but this is working as intended.

@pacien
Copy link
Contributor Author

pacien commented Oct 12, 2019

The same problem appears with user-defined keywords too: they're still generating highlights/notifications when present in someone else's MXID.

I think that MXIDs strings should be excluded when scanning messages for mentions using strings. It makes no sense to try to find a substring in those as they already are explicit mentions as a whole.

Is there any chance to have the specification fixed for this?

@pacien pacien changed the title Reply is highlighted even without actual mention when domain matches username Reply is highlighted even without actual mention when MXID substring matches username Oct 12, 2019
@turt2live
Copy link
Member

The specification could be fixed, yes. It's a well known issue to the whole team that notifications are a bit annoying to handle.

If an issue doesn't exist already, please open one on matrix-doc

su-ex added a commit to SchildiChat/element-web that referenced this issue Feb 24, 2024
* Fixes for [CVE-2023-37259](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2023-37259) / [GHSA-c9vx-2g7w-rp65](GHSA-c9vx-2g7w-rp65)
* Deprecate customisations in favour of Module API ([\element-hq#25736](element-hq#25736)). Fixes element-hq#25733.
* OIDC: store initial screen in session storage  ([\element-hq#25688](element-hq#25688)). Fixes element-hq#25656. Contributed by @kerryarchibald.
* Allow default_server_config as a fallback config ([\element-hq#25682](element-hq#25682)). Contributed by @ShadowRZ.
* OIDC: remove auth params from url after login attempt ([\element-hq#25664](element-hq#25664)). Contributed by @kerryarchibald.
* feat(faq): remove keyboard shortcuts button ([\element-hq#9342](matrix-org/matrix-react-sdk#9342)). Fixes element-hq#22625. Contributed by @gefgu.
* GYU: Update banner ([\element-hq#11211](matrix-org/matrix-react-sdk#11211)). Fixes element-hq#25530. Contributed by @justjanne.
* Linkify mxc:// URLs as links to your media repo ([\element-hq#11213](matrix-org/matrix-react-sdk#11213)). Fixes element-hq#6942.
* OIDC: Log in ([\element-hq#11199](matrix-org/matrix-react-sdk#11199)). Fixes element-hq#25657. Contributed by @kerryarchibald.
* Handle all permitted url schemes in linkify ([\element-hq#11215](matrix-org/matrix-react-sdk#11215)). Fixes element-hq#4457 and element-hq#8720.
* Autoapprove Element Call oidc requests ([\element-hq#11209](matrix-org/matrix-react-sdk#11209)). Contributed by @toger5.
* Allow creating knock rooms ([\#11182](matrix-org/matrix-react-sdk#11182)). Contributed by @charlynguyen.
* Expose and pre-populate thread ID in devtools dialog ([\element-hq#10953](matrix-org/matrix-react-sdk#10953)).
* Hide URL preview if it will be empty ([\element-hq#9029](matrix-org/matrix-react-sdk#9029)).
* Change wording from avatar to profile picture ([\element-hq#7015](matrix-org/matrix-react-sdk#7015)). Fixes element-hq/element-meta#1331. Contributed by @aaronraimist.
* Quick and dirty devtool to explore state history ([\element-hq#11197](matrix-org/matrix-react-sdk#11197)).
* Consider more user inputs when calculating zxcvbn score ([\element-hq#11180](matrix-org/matrix-react-sdk#11180)).
* GYU: Account Notification Settings ([\element-hq#11008](matrix-org/matrix-react-sdk#11008)). Fixes element-hq#24567. Contributed by @justjanne.
* Compound Typography pass ([\element-hq#11103](matrix-org/matrix-react-sdk#11103)). Fixes element-hq#25548.
* OIDC: navigate to authorization endpoint ([\#11096](matrix-org/matrix-react-sdk#11096)). Fixes element-hq#25574. Contributed by @kerryarchibald.
* Fix read receipt sending behaviour around thread roots ([\element-hq#3600](matrix-org/matrix-js-sdk#3600)).
* Fix missing metaspace notification badges ([\element-hq#11269](matrix-org/matrix-react-sdk#11269)). Fixes element-hq#25679.
* Make checkboxes less rounded ([\element-hq#11224](matrix-org/matrix-react-sdk#11224)). Contributed by @andybalaam.
* GYU: Fix issues with audible keywords without activated mentions ([\element-hq#11218](matrix-org/matrix-react-sdk#11218)). Contributed by @justjanne.
* PosthogAnalytics unwatch settings on logout ([\element-hq#11207](matrix-org/matrix-react-sdk#11207)). Fixes element-hq#25703.
* Avoid trying to set room account data for pinned events as guest ([\element-hq#11216](matrix-org/matrix-react-sdk#11216)). Fixes element-hq#6300.
* GYU: Disable sound for DMs checkbox when DM notifications are disabled ([\element-hq#11210](matrix-org/matrix-react-sdk#11210)). Contributed by @justjanne.
* force to allow calls without video and audio in embedded mode ([\element-hq#11131](matrix-org/matrix-react-sdk#11131)). Contributed by @EnricoSchw.
* Fix room tile text clipping ([\element-hq#11196](matrix-org/matrix-react-sdk#11196)). Fixes element-hq#25718.
* Handle newlines in user pills ([\element-hq#11166](matrix-org/matrix-react-sdk#11166)). Fixes element-hq#10994.
* Limit width of user menu in space panel ([\element-hq#11192](matrix-org/matrix-react-sdk#11192)). Fixes element-hq#22627.
* Add isLocation to ComposerEvent analytics events ([\element-hq#11187](matrix-org/matrix-react-sdk#11187)). Contributed by @andybalaam.
* Fix: hide unsupported login elements ([\element-hq#11185](matrix-org/matrix-react-sdk#11185)). Fixes element-hq#25711. Contributed by @kerryarchibald.
* Scope smaller font size to user info panel ([\element-hq#11178](matrix-org/matrix-react-sdk#11178)). Fixes element-hq#25683.
* Apply i18n to strings in the html export ([\element-hq#11176](matrix-org/matrix-react-sdk#11176)).
* Inhibit url previews on MXIDs containing slashes same as those without ([\element-hq#11160](matrix-org/matrix-react-sdk#11160)).
* Make event info size consistent with state events ([\element-hq#11181](matrix-org/matrix-react-sdk#11181)).
* Fix markdown content spacing ([\element-hq#11177](matrix-org/matrix-react-sdk#11177)). Fixes element-hq#25685.
* Fix font-family definition for emojis ([\element-hq#11170](matrix-org/matrix-react-sdk#11170)). Fixes element-hq#25686.
* Fix spurious error sending receipt in thread errors ([\element-hq#11157](matrix-org/matrix-react-sdk#11157)).
* Consider the empty push rule actions array equiv to deprecated dont_notify ([\element-hq#11155](matrix-org/matrix-react-sdk#11155)). Fixes element-hq#25674.
* Only trap escape key for cancel reply if there is a reply ([\element-hq#11140](matrix-org/matrix-react-sdk#11140)). Fixes element-hq#25640.
* Update linkify to 4.1.1 ([\element-hq#11132](matrix-org/matrix-react-sdk#11132)). Fixes element-hq#23806.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants