Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Redacted events leaked via the latest event in a thread #12104

Closed
clokep opened this issue Feb 28, 2022 · 3 comments · Fixed by #12121
Closed

Redacted events leaked via the latest event in a thread #12104

clokep opened this issue Feb 28, 2022 · 3 comments · Fixed by #12121
Assignees
@clokep
Labels
A-Threads Threaded messages S-Major Major functionality / product severely impaired, no satisfactory workaround. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.

Comments

@clokep
Copy link
Member

clokep commented Feb 28, 2022

If the latest event in a thread is redacted, the unredacted content can be leaked via the bundled aggregation (until it is removed from the database).

This only occurs in MSC3440 support is enabled on the server.
@clokep clokep added S-Major Major functionality / product severely impaired, no satisfactory workaround. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. A-Threads Threaded messages labels Feb 28, 2022
@clokep clokep self-assigned this Feb 28, 2022
@clokep
Copy link
Member Author

clokep commented Feb 28, 2022
edited
Loading

Reported by @ariskotsomitopoulos.

@clokep clokep mentioned this issue Mar 1, 2022
Merged
@ariskotsomitopoulos
Copy link

Steps to reproduce

  1. Send a message
  2. Reply to ^ message in a thread
  3. Send some more messages in the thread
  4. Delete the latest message

MSC3440 /messages for io.element.thread relations will return the deleted event in the thread summary

@clokep
Copy link
Member Author

clokep commented Mar 1, 2022

Thanks! This seems to be due to some sort of cache invalidation issue.

This was referenced Mar 1, 2022
Merged
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@clokep clokep

Labels
A-Threads Threaded messages S-Major Major functionality / product severely impaired, no satisfactory workaround. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Properly invalidate caches when an event with a relation is redacted matrix-org/synapse
2 participants
@clokep @ariskotsomitopoulos