Previous behavior was causing us to error out of the entire
state_cache::update_membership function when it saw an invalid m.direct,
making it impossible for affected users to join upgraded rooms. This bug
is especially bad if an affected user attempts to upgrade a room,
because we will fail to create their join event in the new room, leaving
both rooms permanently bricked.
The new behavior should never prevent users from joining a room based on
the contents of their account data, and should migrate the `m.direct`
event in a reasonable way even if it is partially corrupted by the
element bug.
This also fixes a bug where the previous implementation will
unintentionally remove any keys that aren't part of the expected
m.direct schema. I don't know of any cases where this came up in
practice.
Fixes: #46
The implementation inside each function is unchanged from the original.
I intend to clean up and fix bugs in later commits, so the diff will be
more clear.
The spec defines that the media endpoints should return 504 when a file
is not-yet-uploaded, which has been interpreted to include when a file
was deleted. Modifies the /media/v3/download/ and /media/r0/thumbnail
endpoints.
ReloadHandle is taken from conduwuit commit
8a5599adf9eafe9111f3d1597f8fb333b8b76849, authored by Benjamin.
Co-authored-by: Benjamin Lee <benjamin@computer.surgery>
This renames:
database_backend -> database.backend
database_path -> database.path
db_cache_capacity_mb -> database.cache_capacity_mb
rocksdb_max_open_files -> database.rocksdb_max_open_files
Charles updated the NixOS module.
Co-authored-by: Charles Hall <charles@computer.surgery>
I hate `log_error`. A better way to do this would be to not reuse the
same error type literally everywhere, so you could distinguish, in
`crate::service::sending::Service::handle_response`, whether to emit an
event based on which function created the error. Fixing that is a lot
more work, though.
This is supported on conduwuit, and I liked it because it's faster for
me to type than tab-completing the bot user, and because it makes it a
little easier to copy-paste admin commands.
This isn't exploitable in any way, it just meant that the bot could
receive and run commands from users who were already in the admin room
despite the bot not being in the room, which also means the bot would be
unable to send response messages.
Now, the bot will simply ignore admin room messages if the bot isn't in
the admin room.
Just `cat` the config file. Also this code would be very annoying to
maintain. Getting rid of this also revealed that another config option
is specific to RocksDB, so `cfg`s for that have been added.
Previously, we only fetched keys once, only requesting them again if we have any missing, allowing for ancient keys to be used to sign PDUs and transactions
Now we refresh keys that either have or are about to expire, preventing attacks that make use of leaked private keys of a homeserver
We also ensure that when validating PDUs or transactions, that they are valid at the origin_server_ts or time of us receiving the transaction respectfully
As to not break event authorization for old rooms, we need to keep old keys around
We move verify_keys which we no longer see in direct requests to the origin to old_verify_keys
We keep old_verify_keys indefinitely as mentioned above, as to not break event authorization (at least until a future MSC addresses this)
Original patch by Matthias. Benjamin just rebased it onto grapevine and
fixed clippy/rustc warnings.
Co-authored-by: Benjamin Lee <benjamin@computer.surgery>
