Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reply fallbacks leak room history #368

Closed
NotAFile opened this issue Sep 4, 2018 · 9 comments · Fixed by #1994
Closed

Reply fallbacks leak room history #368

NotAFile opened this issue Sep 4, 2018 · 9 comments · Fixed by #1994
Labels
A-Client-Server Issues affecting the CS API wart A point where the protocol is inconsistent or inelegant

Comments

@NotAFile
Copy link

NotAFile commented Sep 4, 2018

This isn't really a big issue, but when joining a room which only allows you to view messages after you join, you can see earlier messages by looking into the fallback of replies.

@t3chguy
Copy link
Member

t3chguy commented Sep 4, 2018

But you have no way of verifying them and knowing if they are the true history, its the same as someone posting a screenshot/quote of the history you do not have access to

@turt2live turt2live added the wart A point where the protocol is inconsistent or inelegant label Sep 4, 2018
@NotAFile
Copy link
Author

NotAFile commented Sep 4, 2018

sure, but chances are usually low that it's fake. Users might rely on the fact that e.g. riot doesn't let them access the message, without realizing the message is also embedded in the event data

@Half-Shot
Copy link
Contributor

As per #14824, reply fallbacks also leak participant servers with the?via attribute in the permalinks. This isn't a problem if you are in the same room because you can easily determine this by looking at room state, but this is a problem if a reply fallback is forwarded to another room.

@turt2live
Copy link
Member

@Half-Shot how is that any more problematic than someone dumping a permalink to the same event in the other room?

@Half-Shot
Copy link
Contributor

A permalink is visible, and so the user can immediate see that they fucked up and can remove it. A reply fallback is rendered as "unable to render" in Element, but the source of the event contains the via data.

Ergo, one is a visible mistake and can be corrected immediately, the other is invisible.

@KitsuneRal
Copy link
Member

Tbh (albeit offtopic here), the fact that reply fallbacks survive redactions seems a much bigger issue to me.

@Half-Shot
Copy link
Contributor

Half-Shot commented Jul 30, 2020

I'm surprised that the fallback is not redacted. If so, that probably just makes the issue even worse as you can't redact the leak at all :| Misunderstood, not relevant to the issue after all.

@KitsuneRal
Copy link
Member

If you redact the reply, the fallback gets redacted along with it. If you redact the message replied to, the reply fallback survives.

@MazeChaZer
Copy link

This problem is approached in MSC matrix-org/matrix-spec-proposals#2781.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-Client-Server Issues affecting the CS API wart A point where the protocol is inconsistent or inelegant
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants