Only do restricted join rules signature checks for room versions 8/9. (#10927)

clokep · web-flow · commit c3ccad7785cd · 2021-09-28T08:44:19.000-04:00
Otherwise the presence of a (bogus, unused) field could cause
auth checks to fail.
diff --git a/changelog.d/10927.bugfix b/changelog.d/10927.bugfix
@@ -0,0 +1 @@
+Fix a bug introduced in Synapse v1.40.0 where the signature checks for room version 8/9 could be applied to earlier room versions in some situations.
diff --git a/synapse/event_auth.py b/synapse/event_auth.py
@@ -113,7 +113,8 @@ def check(
                 raise AuthError(403, "Event not signed by sending server")
 
         is_invite_via_allow_rule = (
-            event.type == EventTypes.Member
+            room_version_obj.msc3083_join_rules
+            and event.type == EventTypes.Member
             and event.membership == Membership.JOIN
             and "join_authorised_via_users_server" in event.content
         )

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Fix a bug introduced in Synapse v1.40.0 where the signature checks for room version 8/9 could be applied to earlier room versions in some situations.`
Original file line number	Diff line number	Diff line change
`@@ -113,7 +113,8 @@ def check(`
`113`	`113`	`raise AuthError(403, "Event not signed by sending server")`
`114`	`114`
`115`	`115`	`is_invite_via_allow_rule = (`
`116`		`- event.type == EventTypes.Member`
	`116`	`+ room_version_obj.msc3083_join_rules`
	`117`	`+ and event.type == EventTypes.Member`
`117`	`118`	`and event.membership == Membership.JOIN`
`118`	`119`	`and "join_authorised_via_users_server" in event.content`
`119`	`120`	`)`