Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Optional whitespace support in Authorization (#1350) #17145

Merged
merged 3 commits into from
May 8, 2024

Conversation

Timshel
Copy link
Contributor

@Timshel Timshel commented May 2, 2024

Fix #1350 by adding support for optional whitespace around ,.

Additionally,

  • used \s which is more lax than the spec since OWS is defined as *( SP / HTAB )
  • Added the X-Matrix part to the regex ^X-Matrix\s+ to make more clear what it's doing. Added it as insensitive to lower probability of issues, but since it was not checking the X-Matrix part before it could create issues.
  • On the whitespace handling of this part replaced + with \s+ since the parsing appear to be more lax than the spec (which if I understand correctly mandate only one space, cf 1*SP)

Will of course remove it if you believe it should not be included.

@Timshel Timshel requested a review from a team as a code owner May 2, 2024 15:28
@CLAassistant
Copy link

CLAassistant commented May 2, 2024

CLA assistant check
All committers have signed the CLA.

@Timshel
Copy link
Contributor Author

Timshel commented May 2, 2024

Concerning the CLA has no issue with signing it but would prefer to do it only if/when the PR is ready to be merged.

Copy link
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As the spec mentions RFC7235 explicitly for the format of the Authorization header's value, it seems that we should indeed attempt to follow it.

We need to be careful with being more lax than the spec, lest other homeserver implementations start to rely on Synapse's behaviour, and then fail when they encounter other homeservers that follow the spec to the letter.

  • Added the X-Matrix part to the regex ^X-Matrix\s+ to make more clear what it's doing. Added it as insensitive to lower probability of issues, but since it was not checking the X-Matrix part before it could create issues.

Note that we already check that the value of Authorization starts with X-Matrix (case-sensitive) here:

if auth.startswith(b"X-Matrix"):

Thus the case-insensitivity here won't apply unless we also make that check case-insensitive. However, as the spec doesn't allow X-Matrix to be lowercase, I think we should keep the check case-sensitive.

  • On the whitespace handling of this part replaced + with \s+ since the parsing appear to be more lax than the spec (which if I understand correctly mandate only one space, cf 1*SP)

RFC5234 defines SP as %x20, aka hexadecimal 20, or simply . Therefore \s, which matches any whitespace character, is not the same. Indeed, RFC7235 mandates 1*SP.

I also think that the spec should be updated to mention in its summary of RFC7235 that spaces and tabs are allowed around commas. This would help prevent implementations from drifting apart. I don't currently see a relevant issue. I can open one, unless you'd like to.

synapse/federation/transport/server/_base.py Outdated Show resolved Hide resolved
synapse/federation/transport/server/_base.py Outdated Show resolved Hide resolved
@Timshel Timshel force-pushed the fix/1350 branch 2 times, most recently from 77711ee to 4bce0e2 Compare May 7, 2024 17:53
@Timshel
Copy link
Contributor Author

Timshel commented May 7, 2024

Hey,
Rebased and forced pushed the change since there is not much code.

I also think that the spec should be updated to mention in its summary of RFC7235 that spaces and tabs are allowed around commas. This would help prevent implementations from drifting apart. I don't currently see a relevant issue. I can open one, unless you'd like to.

I'll let you tackle this one, maybe next time :).

Copy link
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code looks good to me. Spec issue written up at matrix-org/matrix-spec#1817.

@anoadragon453 anoadragon453 enabled auto-merge (squash) May 8, 2024 09:52
@Timshel
Copy link
Contributor Author

Timshel commented May 8, 2024

Had the notif for the failed test will add the changelog later today.

@anoadragon453 anoadragon453 disabled auto-merge May 8, 2024 10:07
@anoadragon453
Copy link
Member

Before merging, I've just made a call out out to others to ask if anyone has any concerns with this change accidentally introducing incompatibilities.

@anoadragon453
Copy link
Member

Initial reactions are positive. I've made a PR to the spec to add a note about the whitespace to the summary: matrix-org/matrix-spec#1818

changelog.d/17145.bugfix Outdated Show resolved Hide resolved
@anoadragon453 anoadragon453 enabled auto-merge (squash) May 8, 2024 13:34
@anoadragon453 anoadragon453 merged commit 34a8652 into element-hq:develop May 8, 2024
38 checks passed
@Timshel Timshel deleted the fix/1350 branch May 8, 2024 13:58
yingziwu added a commit to yingziwu/synapse that referenced this pull request Jun 7, 2024
No significant changes since 1.108.0rc1.

- Add a feature that allows clients to query the configured federation whitelist. Disabled by default. ([\#16848](element-hq/synapse#16848), [\#17199](element-hq/synapse#17199))
- Add the ability to allow numeric user IDs with a specific prefix when in the CAS flow. Contributed by Aurélien Grimpard. ([\#17098](element-hq/synapse#17098))

- Fix bug where push rules would be empty in `/sync` for some accounts. Introduced in v1.93.0. ([\#17142](element-hq/synapse#17142))
- Add support for optional whitespace around the Federation API's `Authorization` header's parameter commas. ([\#17145](element-hq/synapse#17145))
- Fix bug where disabling room publication prevented public rooms being created on workers. ([\#17177](element-hq/synapse#17177), [\#17184](element-hq/synapse#17184))

- Document [`/v1/make_knock`](https://spec.matrix.org/v1.10/server-server-api/#get_matrixfederationv1make_knockroomiduserid) and [`/v1/send_knock/`](https://spec.matrix.org/v1.10/server-server-api/#put_matrixfederationv1send_knockroomideventid) federation endpoints as worker-compatible. ([\#17058](element-hq/synapse#17058))
- Update User Admin API with note about prefixing OIDC external_id providers. ([\#17139](element-hq/synapse#17139))
- Clarify the state of the created room when using the `autocreate_auto_join_room_preset` config option. ([\#17150](element-hq/synapse#17150))
- Update the Admin FAQ with the current libjemalloc version for latest Debian stable. Additionally update the name of the "push_rules" stream in the Workers documentation. ([\#17171](element-hq/synapse#17171))

- Add note to reflect that [MSC3886](matrix-org/matrix-spec-proposals#3886) is closed but will remain supported for some time. ([\#17151](element-hq/synapse#17151))
- Update dependency PyO3 to 0.21. ([\#17162](element-hq/synapse#17162))
- Fixes linter errors found in PR #17147. ([\#17166](element-hq/synapse#17166))
- Bump black from 24.2.0 to 24.4.2. ([\#17170](element-hq/synapse#17170))
- Cache literal sync filter validation for performance. ([\#17186](element-hq/synapse#17186))
- Improve performance by fixing a reactor pause. ([\#17192](element-hq/synapse#17192))
- Route `/make_knock` and `/send_knock` federation APIs to the federation reader worker in Complement test runs. ([\#17195](element-hq/synapse#17195))
- Prepare sync handler to be able to return different sync responses (`SyncVersion`). ([\#17200](element-hq/synapse#17200))
- Organize the sync cache key parameter outside of the sync config (separate concerns). ([\#17201](element-hq/synapse#17201))
- Refactor `SyncResultBuilder` assembly to its own function. ([\#17202](element-hq/synapse#17202))
- Rename to be obvious: `joined_rooms` -> `joined_room_ids`. ([\#17203](element-hq/synapse#17203), [\#17208](element-hq/synapse#17208))
- Add a short pause when rate-limiting a request. ([\#17210](element-hq/synapse#17210))

* Bump cryptography from 42.0.5 to 42.0.7. ([\#17180](element-hq/synapse#17180))
* Bump gitpython from 3.1.41 to 3.1.43. ([\#17181](element-hq/synapse#17181))
* Bump immutabledict from 4.1.0 to 4.2.0. ([\#17179](element-hq/synapse#17179))
* Bump sentry-sdk from 1.40.3 to 2.1.1. ([\#17178](element-hq/synapse#17178))
* Bump serde from 1.0.200 to 1.0.201. ([\#17183](element-hq/synapse#17183))
* Bump serde_json from 1.0.116 to 1.0.117. ([\#17182](element-hq/synapse#17182))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

M_UNAUTHORIZED if 'Authorization' header value contains optional whitespace for federation requests (SYN-437)
4 participants