From a560ccb08413684d534a0fced1a3bbd42ccdb19b Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 29 Sep 2020 11:24:38 +0100 Subject: [PATCH 1/3] Only assert valid next_link params when provided --- synapse/rest/client/v2_alpha/account.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/synapse/rest/client/v2_alpha/account.py b/synapse/rest/client/v2_alpha/account.py index c3ce0f62592a..9245214f36eb 100644 --- a/synapse/rest/client/v2_alpha/account.py +++ b/synapse/rest/client/v2_alpha/account.py @@ -103,8 +103,9 @@ async def on_POST(self, request): Codes.THREEPID_DENIED, ) - # Raise if the provided next_link value isn't valid - assert_valid_next_link(self.hs, next_link) + if next_link: + # Raise if the provided next_link value isn't valid + assert_valid_next_link(self.hs, next_link) # The email will be sent to the stored address. # This avoids a potential account hijack by requesting a password reset to @@ -379,8 +380,9 @@ async def on_POST(self, request): Codes.THREEPID_DENIED, ) - # Raise if the provided next_link value isn't valid - assert_valid_next_link(self.hs, next_link) + if next_link: + # Raise if the provided next_link value isn't valid + assert_valid_next_link(self.hs, next_link) existing_user_id = await self.store.get_user_id_by_threepid("email", email) @@ -453,8 +455,9 @@ async def on_POST(self, request): Codes.THREEPID_DENIED, ) - # Raise if the provided next_link value isn't valid - assert_valid_next_link(self.hs, next_link) + if next_link: + # Raise if the provided next_link value isn't valid + assert_valid_next_link(self.hs, next_link) existing_user_id = await self.store.get_user_id_by_threepid("msisdn", msisdn) From 6e138d660f76aabcc64846652caf04c756b99c78 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 29 Sep 2020 11:30:29 +0100 Subject: [PATCH 2/3] Changelog --- changelog.d/8417.feature | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/8417.feature diff --git a/changelog.d/8417.feature b/changelog.d/8417.feature new file mode 100644 index 000000000000..17549c3df39a --- /dev/null +++ b/changelog.d/8417.feature @@ -0,0 +1 @@ +Add a config option to specify a whitelist of domains that a user can be redirected to after validating their email or phone number. \ No newline at end of file From 33b5bf088db25273b6a7523e332fc8a29d89003a Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 29 Sep 2020 11:39:19 +0100 Subject: [PATCH 3/3] Add a regression test --- tests/rest/client/v2_alpha/test_account.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/rest/client/v2_alpha/test_account.py b/tests/rest/client/v2_alpha/test_account.py index 93f899d86133..ae2cd67f35de 100644 --- a/tests/rest/client/v2_alpha/test_account.py +++ b/tests/rest/client/v2_alpha/test_account.py @@ -732,6 +732,12 @@ def test_next_link_file_uri(self): @override_config({"next_link_domain_whitelist": ["example.com", "example.org"]}) def test_next_link_domain_whitelist(self): """Tests next_link parameters must fit the whitelist if provided""" + + # Ensure not providing a next_link parameter still works + self._request_token( + "something@example.com", "some_secret", next_link=None, expect_code=200, + ) + self._request_token( "something@example.com", "some_secret",