Filip/matrix-spec
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-spec synced 2026-02-14 18:13:47 +01:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Merge aa9a203be0 into a6da9443da

Browse source
This commit is contained in:
Tulir Asokan 2026-02-07 20:55:59 +02:00 committed by GitHub
parent a6da9443da aa9a203be0
commit 7a62d3dca8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 205 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
changelogs/server_server/newsfragments/2284.clarification Normal file
View file

@ -0,0 +1 @@
Specified input validation for PDUs passed to and returned from federation membership endpoints.

6
content/server-server-api.md
View file

@ -868,8 +868,10 @@ selecting a resident from the candidate list, and using the
enough information for the joining server to fill in the event. enough information for the joining server to fill in the event.
The joining server is expected to add or replace the `origin`, The joining server is expected to add or replace the `origin`,
`origin_server_ts`, and `event_id` on the templated event received by `origin_server_ts`, and `event_id` on the templated event received by the
the resident server. This event is then signed by the joining server. resident server. The joining server MUST also verify that the `type`, `room_id`,
`sender`, `state_key` and `content.membership` fields have the expected values.
This event is then signed by the joining server.
To complete the join handshake, the joining server submits this new event To complete the join handshake, the joining server submits this new event
to the resident server it used for `GET /make_join`, using the `PUT /send_join` to the resident server it used for `GET /make_join`, using the `PUT /send_join`

42
data/api/server-server/invites-v1.yaml
View file

@ -36,6 +36,30 @@ paths:
Also note that if the remote homeserver is already in the room, it will receive the Also note that if the remote homeserver is already in the room, it will receive the
invite event twice; once through this endpoint, and again through a [federation invite event twice; once through this endpoint, and again through a [federation
transaction](/server-server-api/#transactions). transaction](/server-server-api/#transactions).
Servers MUST apply certain validation to ensure they don't accidentally sign non-invite
events from a malicious server. The `M_MISSING_PARAM` error code is used to indicate one
or more of the following:
* The invite event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
* The event type is not `m.room.member`.
* The `membership` field inside the event content is not `invite`.
* The event sender is not a user ID on the origin server.
* The `state_key` is not a user ID on the receiving server.
The `M_MISSING_PARAM` error code is also used to indicate one or more of the following
problems in the `invite_room_state` field:
* The `m.room.create` event is missing from `invite_room_state`.
* One or more entries in `invite_room_state` are not formatted according
to the room's version.
* One or more events fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
* One or more events does not reside in the same room as the invite.
Note: Some room versions may require calculating the room ID for an
event rather than relying on the presence of `room_id`.
Servers MAY apply the `invite_room_state` validation to room versions 1 through 11,
and SHOULD apply the validation to all other room versions.
operationId: sendInviteV1 operationId: sendInviteV1
security: security:
- signedRequest: [] - signedRequest: []
@ -178,23 +202,7 @@ paths:
} }
"400": "400":
description: |- description: |-
The `M_MISSING_PARAM` error code is used to indicate one or more of The request is invalid in some way.
the following:
* The `m.room.create` event is missing from `invite_room_state`.
* One or more entries in `invite_room_state` are not formatted according
to the room's version.
* One or more events fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
* One or more events does not reside in the same room as the invite.
Note: Some room versions may require calculating the room ID for an
event rather than relying on the presence of `room_id`.
Servers MAY apply the validation above to room versions 1 through 11,
and SHOULD apply the validation above to all other room versions.
If `M_MISSING_PARAM` is returned and the request is associated with a
Client-Server API request, the Client-Server API request SHOULD fail
with a 5xx error rather than being passed through.
content: content:
application/json: application/json:
schema: schema:

38
data/api/server-server/invites-v2.yaml
View file

@ -40,6 +40,30 @@ paths:
Also note that if the remote homeserver is already in the room, it will receive the Also note that if the remote homeserver is already in the room, it will receive the
invite event twice; once through this endpoint, and again through a [federation invite event twice; once through this endpoint, and again through a [federation
transaction](/server-server-api/#transactions). transaction](/server-server-api/#transactions).
Servers MUST apply certain validation to ensure they don't accidentally sign non-invite
events from a malicious server. The `M_MISSING_PARAM` error code is used to indicate one
or more of the following:
* The invite event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
* The event type is not `m.room.member`.
* The `membership` field inside the event content is not `invite`.
* The event sender is not a user ID on the origin server.
* The `state_key` is not a user ID on the receiving server.
The `M_MISSING_PARAM` error code is also used to indicate one or more of the following
problems in the `invite_room_state` field:
* The `m.room.create` event is missing from `invite_room_state`.
* One or more entries in `invite_room_state` are not formatted according
to the room's version.
* One or more events fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
* One or more events does not reside in the same room as the invite.
Note: Some room versions may require calculating the room ID for an
event rather than relying on the presence of `room_id`.
Servers MAY apply the `invite_room_state` validation to room versions 1 through 11,
and SHOULD apply the validation to all other room versions.
operationId: sendInviteV2 operationId: sendInviteV2
security: security:
- signedRequest: [] - signedRequest: []
@ -154,20 +178,6 @@ paths:
The error should be passed through to clients so that they The error should be passed through to clients so that they
may give better feedback to users. may give better feedback to users.
The `M_MISSING_PARAM` error code is used to indicate one or more of
the following:
* The `m.room.create` event is missing from `invite_room_state`.
* One or more entries in `invite_room_state` are not formatted according
to the room's version.
* One or more events fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
* One or more events does not reside in the same room as the invite.
Note: Some room versions may require calculating the room ID for an
event rather than relying on the presence of `room_id`.
Servers MAY apply the validation above to room versions 1 through 11,
and SHOULD apply the validation above to all other room versions.
If `M_MISSING_PARAM` is returned and the request is associated with a If `M_MISSING_PARAM` is returned and the request is associated with a
Client-Server API request, the Client-Server API request SHOULD fail Client-Server API request, the Client-Server API request SHOULD fail
with a 5xx error rather than being passed through. with a 5xx error rather than being passed through.

49
data/api/server-server/joins-v1.yaml
View file

@ -23,6 +23,17 @@ paths:
description: |- description: |-
Asks the receiving server to return information that the sending Asks the receiving server to return information that the sending
server will need to prepare a join event to get into the room. server will need to prepare a join event to get into the room.
Before signing the returned template and calling `/send_join`,
the sending server MUST verify that:
* the `room_id` is equal to the `roomId` path parameter.
* both the `sender` and `state_key` are equal to the `userId` path parameter.
* the `type` of the event is `m.room.member`.
* the `membership` field inside `content` is `join`.
In case any of the above checks fail, the response MUST be treated as malformed and
discarded. The caller MAY try to join through another server.
operationId: makeJoin operationId: makeJoin
security: security:
- signedRequest: [] - signedRequest: []
@ -36,7 +47,7 @@ paths:
type: string type: string
- in: path - in: path
name: userId name: userId
description: The user ID the join event will be for. description: The user ID the join event will be for. This MUST be a user ID on the origin server.
required: true required: true
example: "@someone:example.org" example: "@someone:example.org"
schema: schema:
@ -238,6 +249,15 @@ paths:
**The request and response body here describe the common **The request and response body here describe the common
event fields in more detail and may be missing other required event fields in more detail and may be missing other required
fields for a PDU.** fields for a PDU.**
The receiving server MUST apply certain validation before accepting the event.
The `M_INVALID_PARAM` error code is used to indicate one or more of the following:
* The join event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
* The event type is not `m.room.member`.
* The `membership` field inside the event content is not `join`.
* The event sender is not a user ID on the origin server.
* The `state_key` is not equal to the `sender`.
operationId: sendJoinV1 operationId: sendJoinV1
security: security:
- signedRequest: [] - signedRequest: []
@ -388,6 +408,33 @@ paths:
} }
} }
] ]
"400":
description: |-
The request is invalid in some way.
content:
application/json:
schema:
$ref: ../client-server/definitions/errors/error.yaml
examples:
response:
value: {
"errcode": "M_INVALID_PARAM",
"error": "Not a join event."
}
"403":
description: |-
The room that the joining server is attempting to join does not permit the user
to join.
content:
application/json:
schema:
$ref: ../client-server/definitions/errors/error.yaml
examples:
response:
value: {
"errcode": "M_FORBIDDEN",
"error": "You are not invited to this room"
}
servers: servers:
- url: "{protocol}://{hostname}{basePath}" - url: "{protocol}://{hostname}{basePath}"
variables: variables:

13
data/api/server-server/joins-v2.yaml
View file

@ -38,6 +38,15 @@ paths:
**The request and response body here describe the common **The request and response body here describe the common
event fields in more detail and may be missing other required event fields in more detail and may be missing other required
fields for a PDU.** fields for a PDU.**
The receiving server MUST apply certain validation before accepting the event.
The `M_INVALID_PARAM` error code is used to indicate one or more of the following:
* The join event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
* The event type is not `m.room.member`.
* The `membership` field inside the event content is not `join`.
* The event sender is not a user ID on the origin server.
* The `state_key` is not equal to the `sender`.
operationId: sendJoinV2 operationId: sendJoinV2
security: security:
- signedRequest: [] - signedRequest: []
@ -247,6 +256,10 @@ paths:
The error should be passed through to clients so that they The error should be passed through to clients so that they
may give better feedback to users. may give better feedback to users.
If `M_MISSING_PARAM` is returned and the request is associated with a
Client-Server API request, the Client-Server API request SHOULD fail
with a 5xx error rather than being passed through.
New in `v1.2`, the following error conditions might happen: New in `v1.2`, the following error conditions might happen:
If the room is [restricted](/client-server-api/#restricted-rooms) If the room is [restricted](/client-server-api/#restricted-rooms)

35
data/api/server-server/knocks.yaml
View file

@ -23,6 +23,17 @@ paths:
description: |- description: |-
Asks the receiving server to return information that the sending Asks the receiving server to return information that the sending
server will need to prepare a knock event for the room. server will need to prepare a knock event for the room.
Before signing the returned template and calling `/send_knock`,
the sending server MUST verify that:
* the `room_id` is equal to the `roomId` path parameter.
* both the `sender` and `state_key` are equal to the `userId` path parameter.
* the `type` of the event is `m.room.member`.
* the `membership` field inside `content` is `knock`.
In case any of the above checks fail, the response MUST be treated as malformed and
discarded. The caller MAY try to knock through another server.
operationId: makeKnock operationId: makeKnock
security: security:
- signedRequest: [] - signedRequest: []
@ -36,7 +47,7 @@ paths:
type: string type: string
- in: path - in: path
name: userId name: userId
description: The user ID the knock event will be for. description: The user ID the knock event will be for. This MUST be a user ID on the origin server.
required: true required: true
example: "@someone:example.org" example: "@someone:example.org"
schema: schema:
@ -204,6 +215,15 @@ paths:
**The request and response body here describe the common **The request and response body here describe the common
event fields in more detail and may be missing other required event fields in more detail and may be missing other required
fields for a PDU.** fields for a PDU.**
The receiving server MUST apply certain validation before accepting the event.
The `M_INVALID_PARAM` error code is used to indicate one or more of the following:
* The knock event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
* The event type is not `m.room.member`.
* The `membership` field inside the event content is not `knock`.
* The event sender is not a user ID on the origin server.
* The `state_key` is not equal to the `sender`.
operationId: sendKnock operationId: sendKnock
security: security:
- signedRequest: [] - signedRequest: []
@ -330,6 +350,19 @@ paths:
"$ref": "./examples/invite_or_knock_state.json" "$ref": "./examples/invite_or_knock_state.json"
} }
} }
"400":
description: |-
The request is invalid in some way.
content:
application/json:
schema:
$ref: ../client-server/definitions/errors/error.yaml
examples:
response:
value: {
"errcode": "M_INVALID_PARAM",
"error": "Not a knock event."
}
"403": "403":
description: |- description: |-
The knocking server or user is not permitted to knock on the room, such as when the The knocking server or user is not permitted to knock on the room, such as when the

35
data/api/server-server/leaving-v1.yaml
View file

@ -23,6 +23,17 @@ paths:
description: |- description: |-
Asks the receiving server to return information that the sending Asks the receiving server to return information that the sending
server will need to prepare a leave event to get out of the room. server will need to prepare a leave event to get out of the room.
Before signing the returned template and calling `/send_leave`,
the sending server MUST verify that:
* the `room_id` is equal to the `roomId` path parameter.
* both the `sender` and `state_key` are equal to the `userId` path parameter.
* the `type` of the event is `m.room.member`.
* the `membership` field inside `content` is `leave`.
In case any of the above checks fail, the response MUST be treated as malformed and
discarded. The caller MAY try to leave through another server.
operationId: makeLeave operationId: makeLeave
security: security:
- signedRequest: [] - signedRequest: []
@ -36,7 +47,7 @@ paths:
type: string type: string
- in: path - in: path
name: userId name: userId
description: The user ID the leave event will be for. description: The user ID the leave event will be for. This MUST be a user ID on the origin server.
required: true required: true
example: "@someone:example.org" example: "@someone:example.org"
schema: schema:
@ -153,6 +164,15 @@ paths:
**The request and response body here describe the common **The request and response body here describe the common
event fields in more detail and may be missing other required event fields in more detail and may be missing other required
fields for a PDU.** fields for a PDU.**
The receiving server MUST apply certain validation before accepting the event.
The `M_INVALID_PARAM` error code is used to indicate one or more of the following:
* The leave event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
* The event type is not `m.room.member`.
* The `membership` field inside the event content is not `leave`.
* The event sender is not a user ID on the origin server.
* The `state_key` is not equal to the `sender`.
operationId: sendLeaveV1 operationId: sendLeaveV1
security: security:
- signedRequest: [] - signedRequest: []
@ -249,6 +269,19 @@ paths:
200, 200,
{} {}
] ]
"400":
description: |-
The request is invalid in some way.
content:
application/json:
schema:
$ref: ../client-server/definitions/errors/error.yaml
examples:
response:
value: {
"errcode": "M_INVALID_PARAM",
"error": "Not a leave event."
}
servers: servers:
- url: "{protocol}://{hostname}{basePath}" - url: "{protocol}://{hostname}{basePath}"
variables: variables:

22
data/api/server-server/leaving-v2.yaml
View file

@ -38,6 +38,15 @@ paths:
**The request and response body here describe the common **The request and response body here describe the common
event fields in more detail and may be missing other required event fields in more detail and may be missing other required
fields for a PDU.** fields for a PDU.**
The receiving server MUST apply certain validation before accepting the event.
The `M_INVALID_PARAM` error code is used to indicate one or more of the following:
* The leave event fails a [signature check](/server-server-api/#validating-hashes-and-signatures-on-received-events).
* The event type is not `m.room.member`.
* The `membership` field inside the event content is not `leave`.
* The event sender is not a user ID on the origin server.
* The `state_key` is not equal to the `sender`.
operationId: sendLeaveV2 operationId: sendLeaveV2
security: security:
- signedRequest: [] - signedRequest: []
@ -134,6 +143,19 @@ paths:
examples: examples:
response: response:
value: {} value: {}
"400":
description: |-
The request is invalid in some way.
content:
application/json:
schema:
$ref: ../client-server/definitions/errors/error.yaml
examples:
response:
value: {
"errcode": "M_INVALID_PARAM",
"error": "Not a leave event."
}
servers: servers:
- url: "{protocol}://{hostname}{basePath}" - url: "{protocol}://{hostname}{basePath}"
variables: variables: