From d921b81c703d8845dc6ea5894880d47564e90a21 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Wed, 29 Aug 2018 14:17:52 +0100 Subject: [PATCH 1/2] Reject events with superfluous auth_events entries --- specification/server_server_api.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/specification/server_server_api.rst b/specification/server_server_api.rst index f2d14738..fb221357 100644 --- a/specification/server_server_api.rst +++ b/specification/server_server_api.rst @@ -365,6 +365,12 @@ The rules are as follows: c. Reject if ``content.room_version`` key is an unrecognized version d. Otherwise, allow. +#. Reject if event has ``auth_events`` that: + + a. have duplicate entries for a given ``type`` and ``state_key`` pair + #. have entries whose ``type`` and ``state_key`` don't match those + specified by the algorithm described previously. + #. Reject if event does not have a ``m.room.create`` in its ``auth_events`` #. If type is ``m.room.aliases``: From 080845ac1c50dcc3479c819abced912aa20a8cd5 Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Fri, 31 Aug 2018 11:53:21 +0100 Subject: [PATCH 2/2] Add link to previous section --- specification/server_server_api.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/specification/server_server_api.rst b/specification/server_server_api.rst index e5bff698..74704faf 100644 --- a/specification/server_server_api.rst +++ b/specification/server_server_api.rst @@ -308,6 +308,8 @@ creating a new event in this room should populate the new event's | E4 +.. _`auth events selection`: + The ``auth_events`` field of a PDU identifies the set of events which give the sender permission to send the event. The ``auth_events`` for the ``m.room.create`` event in a room is empty; for other events, it should be the @@ -384,7 +386,7 @@ The rules are as follows: a. have duplicate entries for a given ``type`` and ``state_key`` pair #. have entries whose ``type`` and ``state_key`` don't match those - specified by the algorithm described previously. + specified by the `auth events selection`_ algorithm described above. #. If event does not have a ``m.room.create`` in its ``auth_events``, reject.