Synapse can be triggered to send emails in cases where it shouldnt #19477
Description
Description
By making a request to this endpoint, like so:
curl -XPOST https://matrix.codestorm.net/_matrix/client/v3/register/email/requestToken -d '{
"client_secret": "monkeys_are_GREAT",
"email": "alice@example.org",
"send_attempt": 1
}'
synapse will send a email to the address specified in the above request even if there is no single registration flow available that requires only a email verification and without the requester ever having had entered a valid registration token. For example, in my case the stages were:
[{"stages":["m.login.registration_token","m.login.dummy"]},{"stages":["m.login.registration_token","m.login.email.identity"]}]
Imo the verification email should only be sent after completing all other requirements of a given stage.
This is a issue for more private servers that can thus be instructed to send random emails to arbitrary recipients and risk getting flagged as spammy email senders at some point.
Steps to reproduce
- configure email on your synapse server
- enable registration_requires_token
- make request to this endpoint
Homeserver
codestorm.net
Synapse Version
1.147.1
Installation Method
Debian packages from packages.matrix.org
Database
PSQL 18
Workers
Multiple workers
Platform
.
Configuration
No response
Relevant log output
.Anything else that would be useful to know?
No response