cap the validity_ts on server signing keys

... as per matrix-org/matrix-spec-proposals#2075
matrix-org · Jun 4, 2019 · 00bf99f · 00bf99f
1 parent dae224a
commit 00bf99f
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/changelog.d/5348.bugfix b/changelog.d/5348.bugfix
@@ -0,0 +1,2 @@
+Ensure that we have an up-to-date copy of the signing key when validating incoming federation requests.
+
diff --git a/synapse/crypto/keyring.py b/synapse/crypto/keyring.py
@@ -56,6 +56,9 @@
 from synapse.util.metrics import Measure
 from synapse.util.retryutils import NotRetryingDestination
 
+# the maximum amount of time we cache a signing key for, before we consider it invalid.
+MAX_KEY_VALID_MS = 7 * 24 * 3600 * 1000
+
 logger = logging.getLogger(__name__)
 
 
@@ -483,6 +486,9 @@ def process_v2_response(
  """
  ts_valid_until_ms = response_json[u"valid_until_ts"]
 
+ # cap the ts_valid_until_ms, to stop people poisoning our cache forever
+ ts_valid_until_ms = min(ts_valid_until_ms, time_added_ms + MAX_KEY_VALID_MS)
+
  # start by extracting the keys from the response, since they may be required
  # to validate the signature on the response.
  verify_keys = {}