search

matrix-org / synapse

Synapse: Matrix homeserver written in Python/Twisted.
https://matrix-org.github.io/synapse
Apache License 2.0
11.82k stars 2.13k forks source link

Synapse accepts `/join` and `/leave` with empty JSON bodies when it shouldn't #16367

Closed reivilibre closed 1 year ago

reivilibre commented 1 year ago

Like all PUT and POST requests other than the media ones (and /logout...), /join, /leave and likely others are supposed to take a JSON body, e.g. {} if nothing special is required. Currently Synapse as at v1.92.3 does not require this.

Unlike for /forget (#16366), I haven't added warnings for these as it's clear the issue is more widespread and I don't have time to descend into an endless rabbit hole here.

We should see if any clients are hitting this and then a future version should cut this off completely (or maybe we end up giving up and specifying that these can have no bodies...)

DMRobertson commented 1 year ago

Duplicate https://github.com/matrix-org/synapse/issues/13388?

I think we used to have these warnings, but I turned them off because the log spam was irritating: https://github.com/matrix-org/synapse/pull/14600

Rich politely pointed out this means we don't know how many clients are omitting the request bodies. We could revert that PR?

erikjohnston commented 1 year ago

Yeah, this is a duplicate

clokep commented 1 year ago

Rich politely pointed out this means we don't know how many clients are omitting the request bodies. We could revert that PR?

Looks like #16365 attempts to do this?