-
-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spec leaves wiggle room in the rules surrounding m.room.create
events
#1048
Comments
The rules don't mention If |
for the third point: if a malicious server were to interject a conflicting room ID (ie: create event originating from a different server, using the victim server's namespace), then Rule 1.2 of the authorization rules should prevent any other server from accepting that event, and thus the falsified room. If a server creates a room ID within its own namespace though (due to implementation bugs or otherwise), then it's just a DAG fork and the sending server now has a unique problem on its hands. |
Indeed. Auth event selection reads:
|
I'm happy to add that to the auth rules, but as I understand it that would (strictly speaking) require a new room version? |
The auth rules aspect should almost certainly get its own issue so we can investigate whether it needs a room version or not without drowning out other concerns here. |
-> #1061 |
In theory, the two are supposed to match exactly. This is a bit of a security hazard, since it would be easy for implementations to assume that they are the same when they are not (and hence grant permissions to the sender of the |
Link to problem area: https://spec.matrix.org/v1.2/rooms/v9/#authorization-rules
Issue
The auth rules begin:
I understand this to mean that
m.room.create
events:prev_events
.sender
, aroom_id
and acontent
field, each with appropriate types.m.room.create
's content, defined in the C-S API spec.room_id
andsender
which are matrix IDs.room_id
andsender
.content.room_version
field which represents a recognised room version.content.creator
field.I can see the following holes and problems n this definition.
content.creator
is an MXID, nor that its domain matches that of theroom_id
orsender
. Come to think of it, why is thecontent.creator
required at all, when the event already contains asender
? Should servers consider the event invalid if the creator and sender disagree?auth_events
at all. Should servers ignore any auth events onm.room.create
, or reject such events?@alice:server
creates a room!room:server
. What is there to stop@bob:server
from trying to create a new room with the same ID?origin_server_ts
, tiebreaking lexicographically on the creator's MXID?)M_ROOM_IN_USE
, but a buggy or malicious homeserver could send whatever PDUs it likes.Additionally:
m.room.create
would be useful here (though note my confusion and complaints in Confusing cycle: S-S API -> room version auth rules -> S-S api auth events selection #1046).The text was updated successfully, but these errors were encountered: