Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Room membership endpoints (/join, /leave, /forget) accept requests with malformed or no bodies #13388

Open
richvdh opened this issue Jul 26, 2022 · 8 comments
Open

Room membership endpoints (/join, /leave, /forget) accept requests with malformed or no bodies #13388

richvdh opened this issue Jul 26, 2022 · 8 comments
Labels
A-Spec-Compliance places where synapse does not conform to the spec T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.

Comments

@richvdh
Copy link
Member

richvdh commented Jul 26, 2022

The following endpoints accept, and ignore, requests with bodies which are not valid JSON objects:

  • /_matrix/client/v3/join/{roomIdOrAlias}
  • /_matrix/client/v3/rooms/{roomId}/join
  • /_matrix/client/v3/rooms/{roomId}/leave

(as well as their non-v3 equivalents).

This is a spec violation, but it appears there are a number of clients that currently rely on it.
@richvdh richvdh added A-Spec-Compliance places where synapse does not conform to the spec T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. labels Jul 26, 2022
This was referenced Jul 26, 2022
Closed
Closed
Closed
Closed
@Half-Shot Half-Shot mentioned this issue Jul 26, 2022
Closed
@turt2live
Copy link
Member

@richvdh how was the distinction that this is a spec violation made? There doesn't seem to be anything in the spec which requires a JSON object for empty requests.

@richvdh
Copy link
Member Author

richvdh commented Jul 26, 2022

well, it's just always been so, apart from these three endpoints.

@richvdh
Copy link
Member Author

richvdh commented Jul 26, 2022

Synapse currently ignores anything that isn't valid json (including actually malformed JSON, like {"). That's clearly wrong.

I'd really like just to bring these endpoints into line with every other endpoint.

@turt2live
Copy link
Member

I'd prefer to see the spec updated to reflect what is supposed to happen when the caller wants an empty body (in these endpoints' cases, not using the optional parameters).

Presently, the behaviour of clients appears legal.

@DMRobertson
Copy link
Contributor

Related: #10534 (?)

@richvdh
Copy link
Member Author

richvdh commented Jul 26, 2022

oh yes, that reminds me: a valid object is required here by the openapi definition: https://github.com/matrix-org/matrix-spec/blob/v1.3/data/api/client-server/joining.yaml#L57, https://github.com/matrix-org/matrix-spec/blob/v1.3/data/api/client-server/leaving.yaml#L57.

@pixlwave pixlwave mentioned this issue Aug 1, 2022
Merged
@richvdh
Copy link
Member Author

richvdh commented Aug 2, 2022

I'd prefer to see the spec updated to reflect what is supposed to happen when the caller wants an empty body (in these endpoints' cases, not using the optional parameters).

this was done in matrix-org/matrix-spec#1185

@richvdh richvdh mentioned this issue Sep 21, 2022
Merged
@richvdh richvdh mentioned this issue Dec 20, 2022
Merged
@richvdh
Copy link
Member Author

richvdh commented Jan 10, 2023

Do we know which clients rely on this behaviour? #14600 will have made it harder to figure out :(.

@DMRobertson DMRobertson mentioned this issue Sep 25, 2023
Closed
@reivilibre reivilibre changed the title Room membership endpoints accept requests with malformed bodies Room membership endpoints (/join, /leave, /forget) accept requests with malformed or no bodies Sep 26, 2023
@matrixbot matrixbot mentioned this issue Dec 21, 2023
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
A-Spec-Compliance places where synapse does not conform to the spec T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@turt2live @richvdh @DMRobertson