diff --git a/CHANGES.md b/CHANGES.md index 5672caec54..a50d73fda9 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -8,6 +8,17 @@ - Drop support for unstable field names from the long-accepted [MSC2732](https://github.com/matrix-org/matrix-spec-proposals/pull/2732) (Olm fallback keys) proposal. This change allows unit tests to pass following the security patch above. ([\#18996](https://github.com/element-hq/synapse/issues/18996)) + + +# Synapse 1.138.4 (2025-10-07) + +## Bugfixes + +- Fix a bug introduced in 1.138.3 where a client could receive an Internal Server Error if they set `device_keys: null` in the request to [`POST /_matrix/client/v3/keys/upload`](https://spec.matrix.org/v1.16/client-server-api/#post_matrixclientv3keysupload). ([\#19023](https://github.com/element-hq/synapse/issues/19023)) + + + + # Synapse 1.138.3 (2025-10-07) ## Security Fixes diff --git a/debian/changelog b/debian/changelog index a666727c87..8a90f45d5e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,12 @@ matrix-synapse-py3 (1.139.1) stable; urgency=medium -- Synapse Packaging team Tue, 07 Oct 2025 11:46:51 +0100 +matrix-synapse-py3 (1.138.4) stable; urgency=medium + + * New Synapse release 1.138.4. + + -- Synapse Packaging team Tue, 07 Oct 2025 16:28:38 +0100 + matrix-synapse-py3 (1.138.3) stable; urgency=medium * New Synapse release 1.138.3. diff --git a/synapse/rest/client/keys.py b/synapse/rest/client/keys.py index 9d22e22b72..55922b97d4 100644 --- a/synapse/rest/client/keys.py +++ b/synapse/rest/client/keys.py @@ -270,7 +270,7 @@ class KeyUploadServlet(RestServlet): 400, "To upload keys, you must pass device_id when authenticating" ) - if "device_keys" in body: + if "device_keys" in body and isinstance(body["device_keys"], dict): # Validate the provided `user_id` and `device_id` fields in # `device_keys` match that of the requesting user. We can't do # this directly in the pydantic model as we don't have access @@ -278,13 +278,13 @@ class KeyUploadServlet(RestServlet): # # TODO: We could use ValidationInfo when we switch to Pydantic v2. # https://docs.pydantic.dev/latest/concepts/validators/#validation-info - if body["device_keys"]["user_id"] != user_id: + if body["device_keys"].get("user_id") != user_id: raise SynapseError( code=HTTPStatus.BAD_REQUEST, errcode=Codes.BAD_JSON, msg="Provided `user_id` in `device_keys` does not match that of the authenticated user", ) - if body["device_keys"]["device_id"] != device_id: + if body["device_keys"].get("device_id") != device_id: raise SynapseError( code=HTTPStatus.BAD_REQUEST, errcode=Codes.BAD_JSON, diff --git a/tests/rest/client/test_keys.py b/tests/rest/client/test_keys.py index ef3aef5dc8..817edfb8d3 100644 --- a/tests/rest/client/test_keys.py +++ b/tests/rest/client/test_keys.py @@ -160,6 +160,26 @@ class KeyUploadTestCase(unittest.HomeserverTestCase): channel.result, ) + def test_upload_keys_succeeds_when_fields_are_explicitly_set_to_null(self) -> None: + """ + This is a regression test for https://github.com/element-hq/synapse/pull/19023. + """ + device_id = "DEVICE_ID" + self.register_user("alice", "wonderland") + alice_token = self.login("alice", "wonderland", device_id=device_id) + + channel = self.make_request( + "POST", + "/_matrix/client/v3/keys/upload", + { + "device_keys": None, + "one_time_keys": None, + "fallback_keys": None, + }, + alice_token, + ) + self.assertEqual(channel.code, HTTPStatus.OK, channel.result) + class KeyQueryTestCase(unittest.HomeserverTestCase): servlets = [