matrixbot
commented
8 years ago Jira watchers: @leonerd
Open matrixbot opened 8 years ago
matrixbot
commented
8 years ago Jira watchers: @leonerd
ara4n
commented
7 years ago @richvdh - is this still a prob?
richvdh
commented
7 years ago Yeah; it's not actually POSTing keys for a different user_id - it is allowing you to quote a different user_id in the key body, which doesn't do you a lot of good, since clients should reject it.
OTOH, it would be helpful if synapse did actually reject such malformed key uploads, both to help with development, and as an additional security check.
richvdh
commented
7 years ago 
anoadragon453
commented
5 years ago Is this a problem? Now that sending key IDs has been deprecated and the endpoint just returns all known keys anyways?
https://matrix.org/docs/spec/server_server/unstable#get-matrix-key-v2-server-keyid
richvdh
commented
5 years ago @anoadragon453 I think you're confusing e2e keys and server keys
anoadragon453
commented
5 years ago I believe you're correct.
kegsay
commented
10 months ago Still an issue, at least for the device_id. I did exactly what Leo did 8 years ago (!) and wrote a test, accidentally used the wrong client instance, and was surprised that Dendrite failed but Synapse passed. Dendrite does apply this validation check.
An accidental bug in sytest: https://github.com/matrix-org/sytest/blob/b5c03fb7764d5d64a4272d5af88bcc46fac90ecd/tests/41end-to-end-keys/01-upload-key.pl#L21
creates a user whose name is
_ANON_-6:localhostbut then manages to POST a key for a differentuser_id. I expect this ought to have failed with 403 instead.(Imported from https://matrix.org/jira/browse/SYN-496)
(Reported by @leonerd)