This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
Spec compliance: synapse does not appear to correctly enforce strict canonicaljson in federation requests, etc #13883
Labels
A-Spec-Compliance
places where synapse does not conform to the spec
O-Uncommon
Most users are unlikely to come across this or unexpected workflow
S-Tolerable
Minor significance, cosmetic issues, low or no impact to users.
T-Defect
Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Comments
|
Related: #7381 |
richvdh
added
A-Spec-Compliance
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The canonicaljson spec says that json requests cannot contain:
[-2 ^ 53 + 1, 2 ^ 53 - 1]... which should mean that it is impossible to sign a federation request containing such values, so all such requests should be rejected. However AFAICT Synapse does not enforce this.
Canonicaljson is used in a couple of other places too (3pid invites, E2EE, etc), and the same considerations apply there.
The text was updated successfully, but these errors were encountered: