Fix X-Matrix signature validation for incoming requests

For HTTP/1 requests, an inbound Request's URI contains only the path and query parameters, since there's no way to synthesize the authority part. This is exactly what we need for the X-Matrix "uri" field. HTTP/2 requests however can contain the :authority pseudo-header, which is used to populate the Request's URI. Using a URL that includes an authority breaks the signature check. Largely inspired by conduit MR !631 (https://gitlab.com/famedly/conduit/-/merge_requests/631). Co-authored-by: strawberry <strawberry@puppygock.gay>
2025-12-17 15:51:23 +01:00 · 2024-09-18 21:47:19 +00:00 · 2024-09-18 21:47:19 +00:00 · ca6bc74074
commit ca6bc74074
parent 0d6a7eb968
2 changed files with 13 additions and 1 deletions
--- a/src/api/ruma_wrapper/axum.rs
+++ b/src/api/ruma_wrapper/axum.rs
@ -220,6 +220,16 @@ async fn ar_from_request_inner(
                    CanonicalJsonValue::Object(origin_signatures),
                )]);

+                let x_matrix_uri = parts
+                    .uri
+                    .path_and_query()
+                    .ok_or_else(|| {
+                        Error::BadRequest(
+                            ErrorKind::InvalidParam,
+                            "No HTTP path/query",
+                        )
+                    })?
+                    .to_string();
                let mut request_map = BTreeMap::from_iter([
                    (
                        "method".to_owned(),
@ -227,7 +237,7 @@ async fn ar_from_request_inner(
                    ),
                    (
                        "uri".to_owned(),
-                        CanonicalJsonValue::String(parts.uri.to_string()),
+                        CanonicalJsonValue::String(x_matrix_uri),
                    ),
                    (
                        "origin".to_owned(),