Merge tag 'v0.31.1'

Changes in synapse v0.31.1 (2018-06-08) ======================================= v0.31.1 fixes a security bug in the ``get_missing_events`` federation API where event visibility rules were not applied correctly. We are not aware of it being actively exploited but please upgrade asap. Bug Fixes: * Fix event filtering in get_missing_events handler (PR #3371)
matrix-org · Jun 8, 2018 · 1032393 · 1032393
2 parents 752b7b3 + aefcc0f
commit 1032393
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 5 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,15 +1,27 @@
+Changes in synapse v0.31.1 (2018-06-08)
+=======================================
+
+v0.31.1 fixes a security bug in the ``get_missing_events`` federation API
+where event visibility rules were not applied correctly.
+
+We are not aware of it being actively exploited but please upgrade asap.
+
+Bug Fixes:
+
+* Fix event filtering in get_missing_events handler (PR #3371)
+
 Changes in synapse v0.31.0 (2018-06-06)
 =======================================
 
-Most notable change from v0.30.0 is to switch to python prometheus library to improve system
-stats reporting. WARNING this changes a number of prometheus metrics in a
+Most notable change from v0.30.0 is to switch to the python prometheus library to improve system
+stats reporting. WARNING: this changes a number of prometheus metrics in a
 backwards-incompatible manner. For more details, see
 `docs/metrics-howto.rst <docs/metrics-howto.rst#removal-of-deprecated-metrics--time-based-counters-becoming-histograms-in-0310>`_.
 
 Bug Fixes:
 
 * Fix metric documentation tables (PR #3341)
-* Fix LaterGuage error handling (694968f)
+* Fix LaterGauge error handling (694968f)
 * Fix replication metrics (b7e7fd2)
 
 Changes in synapse v0.31.0-rc1 (2018-06-04)
@@ -29,7 +41,6 @@ Changes:
 * Remove users from user directory on deactivate (PR #3277)
 * Avoid sending consent notice to guest users (PR #3288)
 * disable CPUMetrics if no /proc/self/stat (PR #3299)
-* Add local and loopback IPv6 addresses to url_preview_ip_range_blacklist (PR #3312) Thanks to @thegcat!
 * Consistently use six's iteritems and wrap lazy keys/values in list() if they're not meant to be lazy (PR #3307)
 * Add private IPv6 addresses to example config for url preview blacklist (PR #3317) Thanks to @thegcat!
 * Reduce stuck read-receipts: ignore depth when updating (PR #3318)

diff --git a/synapse/__init__.py b/synapse/__init__.py
@@ -16,4 +16,4 @@
 """ This is a reference implementation of a Matrix home server.
 """
 
-__version__ = "0.31.0"
+__version__ = "0.31.1"
diff --git a/synapse/handlers/federation.py b/synapse/handlers/federation.py
@@ -1794,6 +1794,10 @@ def on_get_missing_events(self, origin, room_id, earliest_events,
             min_depth=min_depth,
         )
 
+        missing_events = yield self._filter_events_for_server(
+            origin, room_id, missing_events,
+        )
+
         defer.returnValue(missing_events)
 
     @defer.inlineCallbacks