Open dkasak opened 1 year ago
imo we shouldn't need to strip anything at the protocol level, but should be clear that "untrusted event bodies" goes as far as unsigned
too.
@turt2live Did you read the replaces_state
example in https://github.com/matrix-org/synapse/issues/11080? What do you propose Synapse should do instead if not strip that field when it receives it over federation?
Synapse can strip it, but the protocol doesn't have to :)
I guess so, but given all major servers now do it like that, I'm unsure of what benefit the added laxness buys us.
The root problem here is that unsigned
is essentially shared between the origin and destination homeserver, so clients have no hope in knowing which one set a particular item. And obviously this matters, because there is a greater degree of trust placed in the local homeserver than any arbitrary homeserver.
We should spell out the fact that the
unsigned
field of PDUs received over S2S should be stripped of everything except an explicitly allowed set of keys, to prevent issues as described in https://github.com/matrix-org/synapse/issues/11080.Synapse already has mitigations for this, as does Dendrite.