From 7fa4fa98628593c1a963f5aa8dbc3657d604b047 Mon Sep 17 00:00:00 2001 From: timedout Date: Sun, 21 Dec 2025 10:58:50 +0000 Subject: [PATCH] fix: Also check sender origin --- src/api/server/invite.rs | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/api/server/invite.rs b/src/api/server/invite.rs index dac66a99..e017c171 100644 --- a/src/api/server/invite.rs +++ b/src/api/server/invite.rs @@ -90,6 +90,16 @@ pub(crate) async fn create_invite_route( ))); } + // Ensure the sending user isn't a lying bozo + let sender_server = signed_event + .get("sender") + .try_into() + .map(UserId::server_name) + .map_err(|e| err!(Request(InvalidParam("Invalid sender property: {e}"))))?; + if sender_server != body.origin() { + return Err!(Request(Forbidden("Sender's server does not match the origin server.",))); + } + // Ensure the target user belongs to this server let recipient_user: OwnedUserId = signed_event .get("state_key")