This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Synapse allows setting unreasonable power_levels when creating a v1-5 room #8378
Labels
Comments
I believe that newer versions of Synapse enforce this correctly. (You might also need to ensure you're using a new-ish room version.) |
Updated to the latest version and it still works. Room version is default (5). |
@clokep sadly I don't think even recent versions of canonicaljson correctly enforce the int bounds. |
I believe that room version 6 enforces this, see: synapse/synapse/events/utils.py Lines 463 to 465 in c619253
|
Room v5 is still a recommended default tho, so this doesn't really help the issue. |
ah my bad, sorry. We could enforce this in the C-S API, I guess, though it's hardly the biggest problem. |
richvdh
added
A-Validation
500 (mostly) errors due to lack of event/parameter validation
z-p3
(Deprecated Label)
labels
Sep 23, 2020
anoadragon453
changed the title
Synapse allows setting unreasonable power_levels when creating a room
Synapse allows setting unreasonable power_levels when creating a v1-5 room
Sep 23, 2020
aaronraimist
added a commit
to aaronraimist/synapse
that referenced
this issue
Jun 25, 2021
Signed-off-by: Aaron Raimist <aaron@raim.ist>
4 tasks
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
Description
You can create a room with a power level that is viewed as "Infinity"
Steps to reproduce
Instead, creating the room should fail.
Version information
Homeserver: blob.cat
Version: 1.11.0-1
Install method: Ubuntu package (with apt)
The text was updated successfully, but these errors were encountered: