search

matrix-org / synapse

Synapse: Matrix homeserver written in Python/Twisted.
https://matrix-org.github.io/synapse
Apache License 2.0
11.82k stars 2.13k forks source link

Synapse allows setting unreasonable power_levels when creating a v1-5 room #8378

Closed ghost closed 3 years ago

ghost commented 4 years ago

Description

You can create a room with a power level that is viewed as "Infinity"

Steps to reproduce

  1. Create a room with 
    "power_level_content_override": {
    "users": {
        "@youruser:yourhomeserver": 100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    }
}
  2. Notice various levels of breakage in many clients (FluffyChat, Element), and a power level displayed as Infinity

Instead, creating the room should fail.

Version information

clokep commented 4 years ago

I believe that newer versions of Synapse enforce this correctly. (You might also need to ensure you're using a new-ish room version.)

ghost commented 4 years ago

Updated to the latest version and it still works. Room version is default (5).

richvdh commented 4 years ago

@clokep sadly I don't think even recent versions of canonicaljson correctly enforce the int bounds.

clokep commented 4 years ago

@clokep sadly I don't think even recent versions of canonicaljson correctly enforce the int bounds.

I believe that room version 6 enforces this, see:

https://github.com/matrix-org/synapse/blob/c619253db80c8d1c606dc40756dd3c9e3a55a9fb/synapse/events/utils.py#L463-L465

kate-shine commented 4 years ago

Room v5 is still a recommended default tho, so this doesn't really help the issue.

richvdh commented 4 years ago

ah my bad, sorry.

We could enforce this in the C-S API, I guess, though it's hardly the biggest problem.

ptman commented 4 years ago

https://github.com/matrix-org/matrix-doc/pull/2788