From 07e6da7dee824f7b616a11100c35fda60ce77b00 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Thu, 1 Apr 2021 00:57:42 +0200 Subject: [PATCH] Fail sig verification unless returned `valid_until_ts` is an integer. When fetching a remote homeserver key, the field `valid_until_ts` must be an integer if it is returned. --- sydent/hs_federation/verifier.py | 7 ++++++- sydent/http/servlets/termsservlet.py | 1 - 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/sydent/hs_federation/verifier.py b/sydent/hs_federation/verifier.py index a708d407..83dad4fa 100644 --- a/sydent/hs_federation/verifier.py +++ b/sydent/hs_federation/verifier.py @@ -78,13 +78,18 @@ def _getKeysForServer(self, server_name): client = FederationHttpClient(self.sydent) result = yield client.get_json("matrix://%s/_matrix/key/v2/server/" % server_name, 1024 * 50) + if 'verify_keys' not in result: raise SignatureVerifyException("No key found in response") if 'valid_until_ts' in result: + if not isinstance(result['valid_until_ts'], int): + raise SignatureVerifyException("Invalid valid_until_ts received, must be an integer") + # Don't cache anything without a valid_until_ts or we wouldn't # know when to expire it. - logger.info("Got keys for %s: caching until %s", server_name, result['valid_until_ts']) + + logger.info("Got keys for %s: caching until %d", server_name, result['valid_until_ts']) self.cache[server_name] = result defer.returnValue(result['verify_keys']) diff --git a/sydent/http/servlets/termsservlet.py b/sydent/http/servlets/termsservlet.py index 802d3933..90e981a7 100644 --- a/sydent/http/servlets/termsservlet.py +++ b/sydent/http/servlets/termsservlet.py @@ -80,4 +80,3 @@ def render_POST(self, request): def render_OPTIONS(self, request): send_cors(request) return b'' -