We became aware today of a flaw in sydent’s validation of email addresses which can lead to a failure to correctly limit registration to a given email domain. This only affects people who run their own sydent, and are relying on allowed_local_3pid in their synapse config. We’d like to thank @fs0c131y for bringing it to our attention on Twitter this morning. We are not aware of this being exploited in the wild other than the initial report.
If you are running your own sydent, and limiting signup for your server using the
allowed_local_3pids configuration option, then you need to upgrade your sydent immediately to Sydent 1.0.2.
Meanwhile, if you have been relying on the
allowed_local_3pids configuration option to restrict access to your homeserver, you may wish to check your homeserver’s user_threepids table for malformed email addresses and your sydent’s database as follows:
$ sqlite3 sydent.db sqlite> select count(*) from global_threepid_associations where address like '%@%@%'; 0 $ psql matrix matrix=> select count(*) from user_threepids where address like '%@%@%'; count ------- 0
If the queries return more than 0 results, please let us know at [email protected] - otherwise you are fine.
A flaw existed in sydent whereby it was possible to bypass the requirement specified in synapse’s
allowed_local_3pids option, which restricts that users may only register with an email address matching a specific format.
This relied on two things:
You can get sydent 1.0.2 from https://github.com/matrix-org/sydent/releases/tag/v1.0.2.