From 0ae1f105b22e51802b01f60ef5a386d8b27d7079 Mon Sep 17 00:00:00 2001
From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
Date: Tue, 7 Oct 2025 16:23:55 +0100
Subject: [PATCH 1/2] Update `KeyUploadServlet` to handle case where client
 sends `device_keys: null` (#19023)

---
 changelog.d/19023.bugfix       |  1 +
 synapse/rest/client/keys.py    |  6 +++---
 tests/rest/client/test_keys.py | 20 ++++++++++++++++++++
 3 files changed, 24 insertions(+), 3 deletions(-)
 create mode 100644 changelog.d/19023.bugfix

diff --git a/changelog.d/19023.bugfix b/changelog.d/19023.bugfix
new file mode 100644
index 0000000000..816336080e
--- /dev/null
+++ b/changelog.d/19023.bugfix
@@ -0,0 +1 @@
+Fix a bug introduced in 1.139.1 where a client could receive an Internal Server Error if they set `device_keys: null` in the request to [`POST /_matrix/client/v3/keys/upload`](https://spec.matrix.org/v1.16/client-server-api/#post_matrixclientv3keysupload).
\ No newline at end of file
diff --git a/synapse/rest/client/keys.py b/synapse/rest/client/keys.py
index 017941bfc4..68be734ccd 100644
--- a/synapse/rest/client/keys.py
+++ b/synapse/rest/client/keys.py
@@ -270,7 +270,7 @@ class KeyUploadServlet(RestServlet):
                 400, "To upload keys, you must pass device_id when authenticating"
             )
 
-        if "device_keys" in body:
+        if "device_keys" in body and isinstance(body["device_keys"], dict):
             # Validate the provided `user_id` and `device_id` fields in
             # `device_keys` match that of the requesting user. We can't do
             # this directly in the pydantic model as we don't have access
@@ -278,13 +278,13 @@ class KeyUploadServlet(RestServlet):
             #
             # TODO: We could use ValidationInfo when we switch to Pydantic v2.
             # https://docs.pydantic.dev/latest/concepts/validators/#validation-info
-            if body["device_keys"]["user_id"] != user_id:
+            if body["device_keys"].get("user_id") != user_id:
                 raise SynapseError(
                     code=HTTPStatus.BAD_REQUEST,
                     errcode=Codes.BAD_JSON,
                     msg="Provided `user_id` in `device_keys` does not match that of the authenticated user",
                 )
-            if body["device_keys"]["device_id"] != device_id:
+            if body["device_keys"].get("device_id") != device_id:
                 raise SynapseError(
                     code=HTTPStatus.BAD_REQUEST,
                     errcode=Codes.BAD_JSON,
diff --git a/tests/rest/client/test_keys.py b/tests/rest/client/test_keys.py
index ef3aef5dc8..817edfb8d3 100644
--- a/tests/rest/client/test_keys.py
+++ b/tests/rest/client/test_keys.py
@@ -160,6 +160,26 @@ class KeyUploadTestCase(unittest.HomeserverTestCase):
             channel.result,
         )
 
+    def test_upload_keys_succeeds_when_fields_are_explicitly_set_to_null(self) -> None:
+        """
+        This is a regression test for https://github.com/element-hq/synapse/pull/19023.
+        """
+        device_id = "DEVICE_ID"
+        self.register_user("alice", "wonderland")
+        alice_token = self.login("alice", "wonderland", device_id=device_id)
+
+        channel = self.make_request(
+            "POST",
+            "/_matrix/client/v3/keys/upload",
+            {
+                "device_keys": None,
+                "one_time_keys": None,
+                "fallback_keys": None,
+            },
+            alice_token,
+        )
+        self.assertEqual(channel.code, HTTPStatus.OK, channel.result)
+
 
 class KeyQueryTestCase(unittest.HomeserverTestCase):
     servlets = [

From abe974cd2b17467c10700cb168748fdeee7b4f9b Mon Sep 17 00:00:00 2001
From: Andrew Morgan <andrew@amorgan.xyz>
Date: Tue, 7 Oct 2025 16:28:59 +0100
Subject: [PATCH 2/2] 1.138.4

---
 CHANGES.md               | 9 +++++++++
 changelog.d/19023.bugfix | 1 -
 debian/changelog         | 6 ++++++
 pyproject.toml           | 2 +-
 4 files changed, 16 insertions(+), 2 deletions(-)
 delete mode 100644 changelog.d/19023.bugfix

diff --git a/CHANGES.md b/CHANGES.md
index cf2c9b634f..9fd0631bd6 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,3 +1,12 @@
+# Synapse 1.138.4 (2025-10-07)
+
+## Bugfixes
+
+- Fix a bug introduced in 1.138.3 where a client could receive an Internal Server Error if they set `device_keys: null` in the request to [`POST /_matrix/client/v3/keys/upload`](https://spec.matrix.org/v1.16/client-server-api/#post_matrixclientv3keysupload). ([\#19023](https://github.com/element-hq/synapse/issues/19023))
+
+
+
+
 # Synapse 1.138.3 (2025-10-07)
 
 ## Security Fixes
diff --git a/changelog.d/19023.bugfix b/changelog.d/19023.bugfix
deleted file mode 100644
index 816336080e..0000000000
--- a/changelog.d/19023.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Fix a bug introduced in 1.139.1 where a client could receive an Internal Server Error if they set `device_keys: null` in the request to [`POST /_matrix/client/v3/keys/upload`](https://spec.matrix.org/v1.16/client-server-api/#post_matrixclientv3keysupload).
\ No newline at end of file
diff --git a/debian/changelog b/debian/changelog
index f7ebd148a7..d054a94d00 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+matrix-synapse-py3 (1.138.4) stable; urgency=medium
+
+  * New Synapse release 1.138.4.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 07 Oct 2025 16:28:38 +0100
+
 matrix-synapse-py3 (1.138.3) stable; urgency=medium
 
   * New Synapse release 1.138.3.
diff --git a/pyproject.toml b/pyproject.toml
index 50e8a7ed84..f51d21e66b 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -101,7 +101,7 @@ module-name = "synapse.synapse_rust"
 
 [tool.poetry]
 name = "matrix-synapse"
-version = "1.138.3"
+version = "1.138.4"
 description = "Homeserver for the Matrix decentralised comms protocol"
 authors = ["Matrix.org Team and Contributors <packages@matrix.org>"]
 license = "AGPL-3.0-or-later"