963ee433ad
* Convert checkboxes to questions Signed-off-by: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> * document internal links Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * document blog taxonomies Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * update PR bot CI from https://github.com/HarHarLinks/pr-template-autoclose Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix heading depth (MD001 MD003) Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix code blocks Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix spaces in link text (MD039) Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix no newline at end of file (MD047) Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix bare URLs without angle backets (MD034) Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * remove redundant attribute Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * linter exception Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * lint links and headings with rumdl instead of checklist Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * convert signoff checklist to heading Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * configure linter to .rumdl.toml explicitly Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * bump rumdl action Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * Shorten comments in the template Co-authored-by: Thibault Martin <thibaultamartin@users.noreply.github.com> Signed-off-by: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> * Remove rumdl default config example comments Co-authored-by: Thibault Martin <thibaultamartin@users.noreply.github.com> Signed-off-by: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> * explain more about the pr-bot Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * pin rumdl action to v0 Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> * fix unlinked email address in coc Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> --------- Signed-off-by: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> Signed-off-by: HarHarLinks <2803622+HarHarLinks@users.noreply.github.com> Co-authored-by: Thibault Martin <thibaultamartin@users.noreply.github.com>
2.8 KiB
+++ title = "Security Update: Sydent 1.0.2" path = "/blog/2019/04/18/security-update-sydent-1-0-2"
[taxonomies] author = ["Matrix.org Team"] category = ["General"] +++
Overview
We became aware today of a flaw in sydent’s validation of email addresses which can lead to a failure to correctly limit registration to a given email domain. This only affects people who run their own sydent, and are relying on allowed_local_3pid in their synapse config. We’d like to thank @fs0c131y for bringing it to our attention on Twitter this morning. We are not aware of this being exploited in the wild other than the initial report.
If you are running your own sydent, and limiting signup for your server using the allowed_local_3pids configuration option, then you need to upgrade your sydent immediately to Sydent 1.0.2.
Meanwhile, if you have been relying on the allowed_local_3pids configuration option to restrict access to your homeserver, you may wish to check your homeserver’s user_threepids table for malformed email addresses and your sydent’s database as follows:
$ sqlite3 sydent.db
sqlite> select count(*) from global_threepid_associations where address like '%@%@%';
0
$ psql matrix
matrix=> select count(*) from user_threepids where address like '%@%@%';
count
-------
0
If the queries return more than 0 results, please let us know at security@matrix.org - otherwise you are fine.
Details
A flaw existed in sydent whereby it was possible to bypass the requirement specified in synapse’s allowed_local_3pids option, which restricts that users may only register with an email address matching a specific format.
This relied on two things:
- sydent uses python's email.utils.parseaddr function to parse the input email address before sending validation mail to it, but it turns out that if you hand parseaddr an malformed email address of form
a@b.com@c.com, it silently discards the @c.com prefix without error. The result of this is that if one requested a validation token fora@malicious.org@important.com, the token would be sent toa@malicious.org, but the addressa@malicious.org@important.comwould be marked as validated. This release fixes this behaviour by asserting that the parsed email address is the same as the input email address. - synapse's checking of email addresses relies on regular expressions in the home server configuration file. synapse does not validate email addresses before checking them against these regular expressions, so naive regular expressions will detect the second domain in email addresses such as the above, causing them to pass the check.
You can get sydent 1.0.2 from https://github.com/matrix-org/sydent/releases/tag/v1.0.2.