erikjohnston
commented
1 year ago This is somewhat expected. All servers in the room should be able to see all events in the room, no matter the whitelist, as (in your case) A can pull in events sent by C via B.
It appears that we don't highlight this in the configuration documentation (I thought we did). federation_domain_whitelist is really only useful for creating a "private federation", i.e. where every server has the same whitelist set up. I've put up a PR to amend the documentation at https://github.com/matrix-org/synapse/pull/16416
Description
SCENARIO:
I have three homeservers, we will call them A, B and C. The three of them federate as such:
C is the matrix.org homeserver. B and C are the personal homeservers. Homeserver B user creates a private encrypted room and invites users from homeservers A and C. Due to the whitelist, homeserver A user cannot read the messages from homeserver C user and vice-versa but homeserver B user can read the messages from both.
EXPLOIT:
Homeserver C user quits the room and gets re-invited into the room.
RESULT:
Homeserver C user can now see all the messages from homeserver user A but not the other way around. This shouldn't happen due to the whitelist and the expected behaviour would be the same as before the homeserver A user quit the room.
CAUSE:
I believe this happens when homeserver user C rejoins the room, the server asks homeserver B to get everything he needs and homeserver B (which can federate with both homeservers) gives him all the encryption keys, even the ones from homeserver A as he doesn't know about the whitelist.
Is this behaviour normal or is this a bug? Thanks in advance.
Steps to reproduce
Homeserver
Matrix.org and 2 personal homeservers
Synapse Version
1.85.2
Installation Method
Docker (matrixdotorg/synapse)
Database
PostgreSQL
Workers
Single process
Platform
Container
Configuration
No response
Relevant log output
Anything else that would be useful to know?
No response