Parse the ID given to /invite|ban|kick to make sure it looks like a user ID.
This commit is contained in:
parent
4f973eb657
commit
b6ee0585bd
|
@ -412,6 +412,8 @@ class RoomMembershipRestServlet(ClientV1RestServlet):
|
|||
if "user_id" not in content:
|
||||
raise SynapseError(400, "Missing user_id key.")
|
||||
state_key = content["user_id"]
|
||||
# make sure it looks like a user ID; it'll throw if it's invalid.
|
||||
UserID.from_string(state_key);
|
||||
|
||||
if membership_action == "kick":
|
||||
membership_action = "leave"
|
||||
|
|
Loading…
Reference in New Issue