This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
Event auth allows booleans as power levels #14940
Labels
A-Spec-Compliance
places where synapse does not conform to the spec
O-Occasional
Affects or can be seen by some users regularly or most users rarely
S-Major
Major functionality / product severely impaired, no satisfactory workaround.
T-Defect
Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Comments
clokep
added
A-Spec-Compliance
This was referenced Jan 30, 2023
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description
Synapse validates power levels in event authorization using
isinstance(v, int). However, booleans in Python are also instances ofint. Therefore, Synapse allows booleans as power levels, even though v10 rooms should only allow ints.Steps to reproduce
trueorfalse) where there should be an integerHomeserver
maunium.net → matrix.org
Synapse Version
1.76.0rc2
Anything else that would be useful to know?
Power level event received and accepted by matrix.org:
{ "content": { "events_default": false, "invite": true, "users": { "@tulir:matrix.org": true, "@tulir:maunium.net": 9001 }, "users_default": false }, "origin_server_ts": 1675084843722, "sender": "@tulir:maunium.net", "state_key": "", "type": "m.room.power_levels", "unsigned": { "replaces_state": "$RevlilKC-G4vl1U--eXxjLKjEddGSr_zBFPGY-A7ftg" }, "event_id": "$ij4iOVCAKqFzOijUqs4ZyuWRHpjkly5tYp8UR0NOQVU", "room_id": "!VielVjraKNGUibBfrN:maunium.net" }The text was updated successfully, but these errors were encountered: