Skip to content
Snippets Groups Projects
This project is mirrored from https://github.com/Nheko-Reborn/nheko.git. Pull mirroring updated .
  1. Oct 05, 2022
  2. Oct 03, 2022
  3. Oct 02, 2022
  4. Oct 01, 2022
  5. Sep 30, 2022
  6. Sep 28, 2022
    • Nicolas Werner's avatar
      Make clazy happy · bffa0115
      Nicolas Werner authored
      Verified
      bffa0115
    • Nicolas Werner's avatar
      Merge branch 'v0.10.2-fixes' · 2fde381a
      Nicolas Werner authored
      Verified
      2fde381a
    • Nicolas Werner's avatar
    • Nicolas Werner's avatar
      Prevent the homeserver from inserting malicious secrets · 67bee15a
      Nicolas Werner authored
      Correctly verify that the reply to a secrets request is actually coming
      from a verified device. While we did verify that it was us who replied,
      we didn't properly cancel storing the secret if the sending device was
      one of ours but was maliciously inserted by the homeserver and
      unverified. We only send secret requests to verified devices in the
      first place, so only the homeserver could abuse this issue.
      
      Additionally we protected against malicious secret poisoning by
      verifying that the secret is actually the reply to a request. This means
      the server only has 2 places where it can poison the secrets:
      
      - After a verification when we automatically request the secrets
      - When the user manually hits the request button
      
      It also needs to prevent other secret answers to reach the client first
      since we ignore all replies after that one.
      
      The impact of this might be quite severe. It could allow the server to
      replace the cross-signing keys silently and while we might not trust
      that key, we possibly could trust it in the future if we rely on the
      stored secret. Similarly this could potentially be abused to make the
      client trust a malicious online key backup.
      
      If your deployment is not patched yet and you don't control your
      homeserver, you can protect against this by simply not doing any
      verifications of your own devices and not pressing the request button in
      the settings menu.
      Verified
      67bee15a
    • Joe Donofry's avatar
      If and Else blocks were backwards · 9010acd9
      Joe Donofry authored and Nicolas Werner's avatar Nicolas Werner committed
      Verified
      9010acd9
    • Joe Donofry's avatar
      Make sure there are no spaces in the status string · e6bbe74a
      Joe Donofry authored and Nicolas Werner's avatar Nicolas Werner committed
      Verified
      e6bbe74a
Loading